We covered Oracle Database Exploitation with Metasploit framework and oracle database attacking tool as part of Pwn with Metasploit from Hackthebox. This was part of HackTheBox Silo Machine.
Silo focuses mainly on leveraging Oracle to obtain a shell and escalate privileges. It was intended to be completed manually using various tools, however Oracle Database Attack Tool greatly simplifies the process, reducing the difficulty of the machine substantially.
Video Transcript
We’re going to proceed to Brute Force the username and password using another module so this is all part of the process so work is database is running on Port 1,521 we have to extract this ID of database using this module and also have to extract and username and password okay so we start first with the Sid brought Oracle login yeah and we have got two so we will use this one
so this model requires the knowledge of the Sid we have just extracted then we’re going to say show options so as you can see here we have our Hostess required and this ID is required so we’re going to set our host and then activate couple modules and then inside the order we have to install couple python dependencies so all these are dependencies you have to install after everything is done.
You can run launch all that and you can start with the help menu and then I have I have outlined the methodology as you can see first we start with the IP the port specific identify Arizona and password after I’ve got a hold of these you can start as you can see connecting to the database this here’s this one
so this is the remote path see in it pop root cell aspx this is the path at which or to which the actually the our shell will be uploaded and this is the path to the Shell I have created and then
yeah and lastly we have -6 DBA possible to decode found so it is under order that’s the correct path to the show we try now other computer forensics memory forensics so let’s search for cash
yeah so the first thing we have to do we have to retrieve the list of the hives so with this command.
As you can see here Dash F this is the memory dump we downloaded and that’s this is the profile the profile the correct profile is Windows 200212 r2x64 Hive list
so you mark the sum as offset 2 and you mark the system as offset one and then next with the volatility again you define the target file to be the memory dump you just downloaded the profile and use the plugin hashtop but you have to specify the offsets that’s why with the first offset the first offset happens to correspond to registering machine system.
A list of the registry hives what you need you need the system node cell and you need the registry machine system once you do that you’ll be able to grab the administrator hash
so after we grab the administer hash we can now log in to of course you have to use the offsets and that’s s the other offset of the second offset which happens to correspond to the sum of sets
the machine as administrator so see the tools see the impact so with BS exec we can pass the hash without the need to examples okay so once you have got a hold of the administrator hash what we can do we can either try to correct the hash or we can simply pass the hash using PS exec crack it so Python 3 PS exec
but poi hashes the administrator has.
Let’s see if it works and then Dash targets that’s IP 10 10 administrator username at and it didn’t who am I and you are the net Authority system see the why the reason is we forgot the dash before the hashes users and now it started to work uploading the shares the and now yeah almost there it doesn’t work and you got now the root flag so that was it guys I hope you enjoyed the video and I will see you later
Video Walkthrough
