Links

Silo

Silo - 10.10.10.82

Target Enumeration:

OS: Windows
IP: 10.10.10.82
User: 92ede778a1cc8d27cb6623055c331617
Root: cd39ea0af657a495e33bc59c7836faf6

Replicating the exploit:

Nmap
Oracle is running so enumerate the users
Download odat to exploit the database
Database is using the default credentials scott\tiger
Set up a meterpreter listener on port 443 (https)
Generate a reverse meterpreter https shell, install ruby dependencies (annoying) and upload your shell.
Now you have a shell, no local privescs work.
Looking in the users desk op directory we found:
Had some weird encoding issues so could not open the link, later found out it was a ‘£’
Testing out the service I saw it was running with system privileges
Elevate to system user with odat and upload a shell to the admins desktop and execute it.
Now you have a system shell.