Silo
OS: Windows, Difficulty: Medium, IP: 10.10.10.82
Initial Enumeration
# Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-07-21 16:37:20
|_ start_date: 2019-07-21 16:20:43
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 231.02 ms 10.10.14.1
2 265.03 ms 10.10.10.82
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 secondsSo there are 3 web-servers, 3 SMB ports, and 1 Oracle Port. ran gobuster on all the web-servers but found nothing, dropped that vector. SMB ports, guest account was disabled and had no other credentials so dropped that too. Only port left was the Oracle Port. I found CVE-2012-1675, and it's exploit but I was not able to exploit it, either the server was not vulnerable or I had something mis-configured, so path beyond this was manual. However I found a Oracle Pentesting Kit on Github which was useful throughout the complete operation.
Find all the valid databases (SID) on this database.
Found XE and few other to be valid SID, however, I chose to focus on XE.
Check if any default credentials are working on this database on the server.
NOTE: I checked both, UPPERCASE and LOWERCASE variations as 11G stores case sensitive passwords by default. Found scott:tiger to be a set of valid credentials.
Next task was to check if this account is SYSDBA or SYSOPER on this database on the server. I used docker to run sqlplus and check this.
It turns out that the user we had was a SYSDBA. One of the module of ODAT let's us put file on the server in a directory of our choosing, as we have web-servers running, we can be sure that there is a directory C:\Inetpub\wwwroot in the system, hence I chose to upload my ASPX MSFVENOM shell there and get a reverse shell.
User Own
Root Own
Learning Outcome
Setting up MSF for Oracle Pentest sucks, ODAT was a real life saver. Oracle pen-test is real fun.
Last updated
Was this helpful?