Silo

@ring3rbell said:
Don’t you even need sqlplus?

it’s possible to not use sqlplus entirely =)
You can, but it isn’t necessary.

It is a funny box, I was able to get root but not user, similar to

@sheeets said:
Any advice on getting user after getting root? I’ve tried creating programs/jobs but nothing seems to be working.

I should have missed something or my way of thinking is not correct, any hint welcome

Haha, it was easy once i let go of the whole oda… thingy. Got user and root with a simple reverse meterpretershell

if anyones struggeling with this, ill be happy to give you a hint in pm.

@Sigilli said:

it’s possible to not use sqlplus entirely =)
You can, but it isn’t necessary.

Mmm, I’m curious to know how you did… Please PM. Thanks!

Same boat as others. Dont really see how i can get user. Been searching the database for user credential to SMB share with no success

As someone said earlier. All hints you need have been provided here. Remeber to have all dependencies fixed before trying a certain tool

I’ve been beating my head against a certain protocol and have not been able to get any fruit (well maybe some, but don’t know what to do with it in a timely manner). I’ve ran into a box like this in the wild and this forum has definitely helped me learn the ways to enumerate, what tools to use etc… if anyone can PM me to nudge me I’d appreciate it. I hate Oracle…

Also… typically my goto isn’t necessarily metasploit… but wtf is:
[-] Failed to load the OCI library: cannot load such file – oci8

@RageQuit said:
I’ve been beating my head against a certain protocol and have not been able to get any fruit (well maybe some, but don’t know what to do with it in a timely manner). I’ve ran into a box like this in the wild and this forum has definitely helped me learn the ways to enumerate, what tools to use etc… if anyone can PM me to nudge me I’d appreciate it. I hate Oracle…

Also… typically my goto isn’t necessarily metasploit… but wtf is:
[-] Failed to load the OCI library: cannot load such file – oci8

just try with the other tool mentioned in here.
personally i tried to fix the metasploit issue in 3 different VMs, with different Kali versions. no luck.
other tool once configured properly made things pretty simple

is there AV on the box? My payload isn’t executing but I am able to control something which should lead to rce. Can I pm someone who completed the box?

reee f this box. Idk which one I hate more this or dropzone. Finished it after 5 hours

It’s def a pain… I ended up getting root. Where are you stuck at?

Anyone actually got odat running on Kali?
Followed the instructions to the tee but the executables won’t launch for some reason (even with 11.2)

@bonjourpancake It worked fine for me! I installed and tested sqlplus first, checked that this works, then installed odat, following their checklist (where several steps were not required anymore as already covered by the sqlplus setup).

But I modified the code to make it exploit the ‘loophole’ I found without odat. Would be interested to know myself if this was really necessary or if I missed some config option. I rather used odat more like a checklist - cross-checking if there is something else to be tested. I had already checked the ‘known security issues’ without odat before. I think when the tool tests for the weakness of a certain library it does something that’s not really necessary in this case but this action requires too much privileges and then it fails completely… and results falsely indicate that the attacked component is not vulnerable. But again, I can’t rule out I missed some option to test for my intended attack vector.

I found the interesting issue with sqlplus, tested a simple version of my exploit idea with sqlplus, and then used a modifed version of the odat script to exploit it more conveniently. But maybe writing the same thing in sqlplus would have taken about the same time as making the modification in Python.

Really interesting machine (mostly because I was unfamiliar with the vector). There’s a few ways to do this once you decide on the vector. One way is to use the tool, sit back and spam until something sticks. The other way is to go low and slow and actually learn about the service and do everything manually. It’s hard not to walk away having learned something regardless of route. However, this may be one of those machines where it’s worth doing a few hours (or even days) of research. The tool being referenced is a little overpowered IMO and the urge to spam is high. Also the shells I got were extremely slow (both normal tcp and meterpreter). Anyways, +1 to the creator. Nothing is better than owning a machine but also feeling that you actually got better.

@bonjourpancake This was the best way for me: Setup Oracle in Kali Rolling & Kali 2.0. Just make sure to change the version from XX_1 to XX_2 if applicable

@onlyamedic I had the same issues with rce/reverse shell. The shells took a few minutes to connect back and were pretty unstable. After getting the user, I changed to using meterpreter but the speed wasn’t much better.

I did that. I can run sqlplus but msfconsole still spits:

 Failed to load the OCI library: libmql1.so: cannot open shared object file: No such file or directory - /usr/local/lib/x86_64-linux-gnu/site_ruby/oci8lib_250.so

libmql1.so exists in /opt/oracle/client and the other does exist.

If you do as I do then you need to know that sudo msfconsole will not pick up the env - just su root and then run msfconsole.

It fixed the issue for me. So now I begin! I remember from a lifetime ago (before pentesting even existed) that a common hack for oracle was that DBSNMP never had its default password changed and of course it has high privs. I’ve just tried it and the account is locked :confused: What is the world coming to. Like you can’t trust anyone anymore.

This box is kicking my ■■■. I managed to find a stand-alone version of the tool that everyone is having trouble installing (PM me if you want the link), so I’ve been able to run that.

Without inadvertently giving away anything that might be a spoiler, I tried setting up a listener and joining the group, but there doesn’t seem to be traffic hitting that service so I got nothing, so that may have been a rabbit hole. I scanned for SIDs, found some. I found an interesting article that might let me take advantage of other open ports on the box through the main service, but I need creds. I left “the tool” iterating through credentials but came up dry. I tried adding the extra switches to the tool’s password guesser, and it ran for several hours before someone reset the box - and I didn’t get any creds in that time.

I’m having trouble even getting a foothold on this one, can someone help nudge me in the right direction?

@bonjourpancake said:
Anyone actually got odat running on Kali?
Followed the instructions to the tee but the executables won’t launch for some reason (even with 11.2)

I followed instructions on http://seclist.us (using 11.2) and it looks like working well

If you are trying to get the initial foothold and have checked user’s privileges (and using odat). I would recommend to check a different “type” of privilege that you can get, not just session. Look into different type of roles