Introduction
The following writeup shows the process I used to capture the user and root flags on SILO machine at @ 10.10.10.82
This document contains my field notes I took when I was working through the box.
My way of thinking
The first step consists of the reconnaissance phase as ports scanning, banner grabbing, misconfigurations and so on. The second one to find the weakness, then, the attack itself, finally the privileges escalation called “post exploitation phase”.
Personal notice: This box is very stressful because we may install the necessary client on the attacker machine. BTW I managed it by bypassing the install with a standalone version.
Ports scanning
During this step we are going to identify the target to see what we have behind the IP address.
BTW, the results are above:
Explanations
- The remote system is Windows Server 2008 R2
- A web server under Microsoft IIS with 8.5 version
At first sight there are one rabbit whole. For example, the RPC can send us to a DOS exploit. BTW, let’s continue
With this element in hands, we are going to check this service. To do that, we opened our browser.
Step 1 The Web server:
The result of our browsing is a default web page under IIS.
Then let’s check the source code to see if there is some leak of interesting stuff.
There is nothing interesting in the source code. So, let’s continue our job.
Identification
Let’s take look at the headers on the web server
So, we have a webserver under IIS and webpages with ASP extension.
Bellow please find the summary of the website of the challenge.
To get in mind
So, we to have a nice summary, we can say that our box is under a Windows machine, specific a Windows Server 2008 R2 with a webserver “ IIS V 8.5”.
Enumeration
At this point of the challenge, we know more about the machine. So, we enumerated some directories of the website in brute forcing the URL.
We used dirb with the default wordlist for this step.
Directories enumeration
At the end of this step, we have a good idea of the structure of the website. We just only found one directory.
It’s the /aspnet_client
Let’s check in our browser what’s under the skin…
Ok, that mean that we don’t have any permission to browse it. It’s a 403-error code.
I’ve managed my results into metasploit. It’s not only for gaining access on a system or a network but also use to managed some results, parsing and so one.
The second raison is that I did some tasks with it for the rest of the challenge.
So, let’s import our XLM file in Metasploit.
At first, we need to start the database in order to use Metasploit without any error.
After that, we can list all services of the box with max of details.
We have the name of the box and the purpose of it, that’s cool. With these elements in hand, we can continue more in deep.
Further enumeration
In this section, we are going to talk in deep of the services we found in the previous section.
Let’s have a look at the services on the box more deeply.
At the first sight, an element rises up of the list. It’s the ORACLE database on port 1521.
We can see that it’s the Oracle TNS listener wish is concerned
So, let’s ding on this service.
1.1 Get info of the TNS Listener
1.2 The version
1.2 The SID
The Weakness
In this section, we are going to talk about the breach of the box. This allow us to get intrude in it. With the elements we have, we can reveal it.
The weakness of this box is the TNS Listener of ORACLE. It refers under CVE-2012–1675
Let’s confirm it with some little scripts ;). Let’s roll
1.1 Metasploit
Let’s check with an auxiliary of MSF.
The result is that the TNS Listener is well vulnerable. Please focus on the green message:
“10.10.10.82:1521 is vulnerable”
1.2 Nmap’s NSE script
Let’s check with NMAP NSE script
The output of the NMAP shows that the Oracle TNS is vulnerable. See that line:
“Oracle-tns-poison: Host is Vulnerable! “
For more details, I suggest you to read the article above.
Also, I give you the official link of ORACLE of this vulnerability:
https://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
Exploitation: Houston, We Have a Shell
With all information we’ve got, we can make our intrusion on the remote system.
At first, we may mention that we gonna use a tool call ODAT. We have to install it for the rest of the challenge. But I bypassed the install with a standalone version. Very useful to reduce time of stress ahahaha.
Please find here the link of the software:
https://github.com/quentinhardy/odat
And here, the standalone version:
https://github.com/quentinhardy/odat/releases/
So, you may read the documentation to use this tool. So, let’s jump into the game
So, the steps required were:
- Used the ODAT tools
- Get privilege on the database in order to change the write permission
- Configured the attack (Crafting the payload)
- Setup the handler on MSF
- Get in
Before to start, I searched the default login and password of Oracle Database. That is very useful.
- Get privilege on the database
The command below is to change the right permission on the remote database.
The command is:
. /odat-libc2.5-x86_64 privesc -s 10.10.10.82 -d XE -U scott -P tiger –sysdba –dba-with-execute-any-procedure
2. Making the backdoor for the webserver on Windows
The command below is to make our malicious file. We used MSFVENOM.
The command is:
. /odat-libc2.5-x86_64 dbmsxslprocessor -s 10.10.10.82 -U SCOTT -P tiger -d XE –sysdba –putFile ‘C: \inetpub\ wwwroot\ ‘ ‘fuck.aspx’ ‘/usr/share/webshells/aspx/cmdasp.aspx’
3. Calling the backdoor on the website
We have just call it by browsing it.
This step allows us to get a reverse shell and also craft a command in PowerShell in the previous step.
4.Putting PowerShell on the webserver
We just put the malicious command on PowerShell to have the reverse connection on our handler.
5.The intrusion itself: Handler
The connection comes back to us.
Then, we can start a session against the target
Privilege Escalation
Once in we had to find some flags. The first one was the user flag, and the second one, the root flag of the machine.
- The user flag was easy because we found the user directory and the text file were in it.
- The root flag (system admin), more complex! One indication was given ;)
When we got in, we were at the root of the website. So, the only solution for me was to find the user directory and to catch the flag.
Always know where you are and where you want to go!!
Where we are after the intrusion
Let’s jump to the remote system directory.
Let’s drop to the user’s directory
Then let’s go to the Phineas user name
For the last part I had some problems. I did not directly go to the point. I will explain my way to root!!
I’ve tried to search the local exploits but I went wrong. I just show you my screen.
When I would like to run a local exploit, I had some problem with the right on the machine. I was block. So, I’ve changed my way of thinking. So, I decided to upload a backdoor in the “Administrator directory “to get root.
I uploaded my backdoor with the tool I mentioned at the beginning then I configured my handler to catch the root flag ;). So, let’s do it.
I named it « Fuck admin » ahahaha just for fun
I give you the correct command above:
sudo ./odat-libc2.5-x86_64 utlfile -s 10.10.10.82 -d XE -U scoot -P tiger — -test-module — — putFile /users/Administrator/Desktop/ admin_fuck.exe admin_fuck.exe
Then, we execute the file on the remote machine
I give you the correct command above:
sudo ./odat-libc2.5-x86_externaltable -s 10.10.10.82 -d XE -U scott -P tiger — — /Users/administrator/Desktop/ admin_fuck.exe
- Handler connection
After the previous step, we gonna catch the connection in our handler.
2. The reverse connection
We are again inside! So, now let’s catch the root flag.
Our payload is under administrator rights, so we hook him.
So good, isn’t it? So, let’s go to the desktop to catch the root flag!!