Silo - 10.10.10.82

Target Enumeration:

OS: Windows

IP: 10.10.10.82

User: 92ede778a1cc8d27cb6623055c331617

Root: cd39ea0af657a495e33bc59c7836faf6

Replicating the exploit:

Nmap

Oracle is running so enumerate the users

Download odat to exploit the database

git clone https://github.com/quentinhardy/odat.git

Database is using the default credentials scott\tiger

Set up a meterpreter listener on port 443 (https)

Generate a reverse meterpreter https shell, install ruby dependencies (annoying) and upload your shell.

Now you have a shell, no local privescs work.

Looking in the users desk op directory we found:

Had some weird encoding issues so could not open the link, later found out it was a ‘£’

Testing out the service I saw it was running with system privileges

Elevate to system user with odat and upload a shell to the admins desktop and execute it.

Now you have a system shell.