Silo – Hackthebox (I gave up/wip)

START

I decided to use Sn1per on this box to see what that tool was like. https://github.com/1N3/Sn1per

====================================================================================                                                                                                                         
 RUNNING TCP PORT SCAN                                                                                                                                                                                       
====================================================================================                                                                                                                         
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-31 15:33 BST                                                                                                                                           
Nmap scan report for 10.10.10.82                                                                                                                                                                             
Host is up (0.035s latency).                                                                                                                                                                                 
Not shown: 467 closed ports, 1 filtered port                                                                                                                                                                 
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit                                                                                                                                  
PORT      STATE SERVICE                                                                                                                                                                                      
80/tcp    open  http                                                                                                                                                                                         
135/tcp   open  msrpc                                                                                                                                                                                        
139/tcp   open  netbios-ssn                                                                                                                                                                                  
445/tcp   open  microsoft-ds                                                                                                                                                                                 
1521/tcp  open  oracle                                                                                                                                                                                       
5985/tcp  open  wsman                                                                                                                                                                                        
47001/tcp open  winrm                                                                                                                                                                                        
49152/tcp open  unknown                                                                                                                                                                                      
                                                                                                                                                                                                             
Nmap done: 1 IP address (1 host up) scanned in 3.48 seconds                                                                                                                                                  
====================================================================================                                                                                                                         
 RUNNING UDP PORT SCAN                                                                                                                                                                                       
====================================================================================                                                                                                                         
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-05-31 15:33 BST                                                                                                                                           
Nmap scan report for 10.10.10.82                                                                                                                                                                             
Host is up (0.035s latency).                                                                                                                                                                                 
Not shown: 6 closed ports                                                                                                                                                                                    
PORT     STATE         SERVICE                                                                                                                                                                               
53/udp   open|filtered domain                                                                                                                                                                                
67/udp   open|filtered dhcps                                                                                                                                                                                 
68/udp   open|filtered dhcpc                                                                                                                                                                                 
88/udp   open|filtered kerberos-sec                                                                                                                                                                          
123/udp  open|filtered ntp                                                                                                                                                                                   
137/udp  open|filtered netbios-ns                                                                                                                                                                            
138/udp  open|filtered netbios-dgm                                                                                                                                                                           
2049/udp open|filtered nfs                                                                                                                                                                                   
                                                                                                                                                                                                             
Nmap done: 1 IP address (1 host up) scanned in 6.56 seconds                                                                                                                                                  

Presents the info quite clearly it does state version infor later on but I just didnt want to hit you with a wall of output. The webserver didnt give anything away even after using dirbuster. Letsee what I can find out about the Oracle service. To look for oracle nmap scripts I used the following:

[root:~/Desktop/silo]# locate .nse | grep oracle                                                                                                                                                  (master) 
/usr/share/nmap/scripts/oracle-brute-stealth.nse
/usr/share/nmap/scripts/oracle-brute.nse
/usr/share/nmap/scripts/oracle-enum-users.nse
/usr/share/nmap/scripts/oracle-sid-brute.nse
/usr/share/nmap/scripts/oracle-tns-version.nse
[root:~/Desktop/silo]

I tried to run oracle-tns-version.nse but it didnt work for some reason – it just gave me a default nmap scan. Instead I ran the following:

[root:~/Desktop/silo]# nmap -p 1521 -A 10.10.10.82                                                                                                                                                (master)
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-06-01 14:38 BST
Nmap scan report for 10.10.10.82
Host is up, received reset ttl 127 (0.031s latency).

PORT     STATE SERVICE    REASON          VERSION
1521/tcp open  oracle-tns syn-ack ttl 127 Oracle TNS listener 11.2.0.2.0 (unauthorized)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1
 Update 1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Vista SP1 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows Server 2008 R2 (93%)
, Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%), Microsoft Windows Server 2008 SP1 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

I’ve highlighted the version number in green. OK good, now lets see what else I can find out from the nmap scripts

[root:~/Desktop/silo]#  nmap --script=oracle-sid-brute -p 1521 10.10.10.82                                                                                                                        (master)

Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-06-01 14:39 BST
Nmap scan report for 10.10.10.82
Host is up, received reset ttl 127 (0.031s latency).

PORT     STATE SERVICE REASON
1521/tcp open  oracle  syn-ack ttl 127
| oracle-sid-brute:
|_  XE

Nmap done: 1 IP address (1 host up) scanned in 46.78 seconds

So we have an sid ( whatever that is )

[root:~/Desktop/silo]# nmap --script=oracle-enum-users -p 1521 10.10.10.82 -vvv                                                                                                                   (master) 
Starting Nmap 7.70SVN ( https://nmap.org ) at 2018-06-01 14:49 BST
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Initiating Ping Scan at 14:49
Scanning 10.10.10.82 [4 ports]
Completed Ping Scan at 14:49, 0.23s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:49
Completed Parallel DNS resolution of 1 host. at 14:49, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:49
Scanning 10.10.10.82 [1 port]
Discovered open port 1521/tcp on 10.10.10.82
Completed SYN Stealth Scan at 14:49, 0.34s elapsed (1 total ports)
NSE: Script scanning 10.10.10.82.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Nmap scan report for 10.10.10.82
Host is up, received echo-reply ttl 127 (0.030s latency).
Scanned at 2018-06-01 14:49:41 BST for 1s

PORT     STATE SERVICE REASON
1521/tcp open  oracle  syn-ack ttl 127

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 14:49
Completed NSE at 14:49, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.97 seconds
           Raw packets sent: 6 (240B) | Rcvd: 2 (72B)
[root:~/Desktop/silo]#

It looks as if the script ran – but I’m not 100% as it hasn’t given me an indication of users.

I was getting a bit frustrated here so I fireup Metasploit, looked for modules and ran a few. I found this:

msf auxiliary(scanner/oracle/tnspoison_checker) > run

[+] [2018.06.01-14:58:47] 10.10.10.82:1521 - 10.10.10.82:1521 is vulnerable
[*] [2018.06.01-14:58:47] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(scanner/oracle/tnspoison_checker) > 

I have to admit I had to check the hackthebox forums for hints at this point. Someone people were saying to install odat https://github.com/quentinhardy/odat and it was not easy to install. I gave up. ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. Why is this not installed in Kali by default!? I can’t be bothered registering with oracle to download the tool then run complicated configuration commands. FU Silo, Oracle and Kali. Only joking Kali I cant stay mad at you.

rowbot

Share

Leave a Reply

Your email address will not be published. Required fields are marked *

Post comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.