# Silo ## Silo - 10.10.10.82 ### Target Enumeration: OS: Windows IP: 10.10.10.82 User: 92ede778a1cc8d27cb6623055c331617 Root: cd39ea0af657a495e33bc59c7836faf6 ### Replicating the exploit: Nmap ![](https://lh4.googleusercontent.com/LPdmS-HlqFWe46OitZhdDh7YOAEtMxpS_16bMKCqCDGHfncmxNdOshFHRFNMOiogX00caig-6kS7h3KIVKSS0g8w5WByfm-rnkuSdp1v1sY6_aMYA5l4OE4UOIAAZM2fp294QiAw) Oracle is running so enumerate the users ![](https://lh3.googleusercontent.com/0ozzoTluyey6mxSsRPt5VA7NVgSFjSdQi1actKa85IWcYTuMQqjq9MZV7Hwg8L3lH5fsZjVCOyrdSvuveoC9-gzbyWVAz9Ok5prPk7iIsEzf9RMC_DSpSRdckCweE0TQ9WFq3yP2) Download odat to exploit the database git clone Database is using the default credentials scott\tiger Set up a meterpreter listener on port 443 (https) Generate a reverse meterpreter https shell, install ruby dependencies (annoying) and upload your shell. ![](https://lh6.googleusercontent.com/YXNleHBTpxuQYSx3gRH1M2QsMhAYYFw7vIwyMuRRVfqiZISKYOMA35M-HdaaTqPrb-MyGsux_PZSTpsYQYC-Dhhi8WllkAE8P6iGASzH4v-U0U2iHFCt8Cao9uXk9FwZaJ4yrhZf) Now you have a shell, no local privescs work. ![](https://lh5.googleusercontent.com/N5SB85BZqAYvnxll03hQwXH6OZidbYWXDMBmTFw3lvdtNabhKEnFjGjciL-TWwsKXY9kSyhQEZ5TBQkeyrMgjav58DmzhonuJsCOY6MWudBbdRa4psAqQSf3Wm8kNkDd4clo4q4p) Looking in the users desk op directory we found: ![](https://lh5.googleusercontent.com/CzTahWBUQH23tdgx0gonuCKDEL6dGkJIfQ3CrjbI8DRr7Q5sMtp1hU4XbsuOf9lKvc9Z1kwm0iQWPHfpnMhBLF5spc3P0z6QtdPsHdqUEoeJU1wU2yqj9-_bVKV3gY_aUHF8ZofX) Had some weird encoding issues so could not open the link, later found out it was a ‘£’ Testing out the service I saw it was running with system privileges ![](https://lh5.googleusercontent.com/Nprji-FYKaxDlZZ-wEdFaETjWuuVHw7IhOWIlbVdGkPRigdUp13DBH9stIEgYVTDl26R5xQQuy1QgS_5OaP7FTZj4suVL2RWtmvcsFm5TtpKRlAc6BHMZwfzluA005uB5Lr1_dvG) Elevate to system user with odat and upload a shell to the admins desktop and execute it. ![](https://lh6.googleusercontent.com/uhVgmKNkeXVgVBjfg8QfAQfPfWKV-ZHtDqlMgWE6T6gN6hE9z73QlFFHynqZ4FnrpMa1h-VnG5PK09esVJXeV2yV-1u-lvvoqsK1Phy_O2U3GtHX0HyrVtfURHTzN6Wtu2_exAKa) Now you have a system shell. ![](https://lh4.googleusercontent.com/3JrxS24StQQC5ULPXYVDVYNQS7NRHmn46xTzhPQTwgREbuseseAd-4S8-63TyjuiFESr_4Bsf0ofJuNuJovMssIHD_UPUkjGfebc-iUQMTquppMAcGXVFKgmYvaAbC9YJlIsLzAq)