Silo

reee f this box. Idk which one I hate more this or dropzone. Finished it after 5 hours

It’s def a pain… I ended up getting root. Where are you stuck at?

Anyone actually got odat running on Kali?
Followed the instructions to the tee but the executables won’t launch for some reason (even with 11.2)

@bonjourpancake It worked fine for me! I installed and tested sqlplus first, checked that this works, then installed odat, following their checklist (where several steps were not required anymore as already covered by the sqlplus setup).

But I modified the code to make it exploit the ‘loophole’ I found without odat. Would be interested to know myself if this was really necessary or if I missed some config option. I rather used odat more like a checklist - cross-checking if there is something else to be tested. I had already checked the ‘known security issues’ without odat before. I think when the tool tests for the weakness of a certain library it does something that’s not really necessary in this case but this action requires too much privileges and then it fails completely… and results falsely indicate that the attacked component is not vulnerable. But again, I can’t rule out I missed some option to test for my intended attack vector.

I found the interesting issue with sqlplus, tested a simple version of my exploit idea with sqlplus, and then used a modifed version of the odat script to exploit it more conveniently. But maybe writing the same thing in sqlplus would have taken about the same time as making the modification in Python.

Really interesting machine (mostly because I was unfamiliar with the vector). There’s a few ways to do this once you decide on the vector. One way is to use the tool, sit back and spam until something sticks. The other way is to go low and slow and actually learn about the service and do everything manually. It’s hard not to walk away having learned something regardless of route. However, this may be one of those machines where it’s worth doing a few hours (or even days) of research. The tool being referenced is a little overpowered IMO and the urge to spam is high. Also the shells I got were extremely slow (both normal tcp and meterpreter). Anyways, +1 to the creator. Nothing is better than owning a machine but also feeling that you actually got better.

@bonjourpancake This was the best way for me: Setup Oracle in Kali Rolling & Kali 2.0. Just make sure to change the version from XX_1 to XX_2 if applicable

@onlyamedic I had the same issues with rce/reverse shell. The shells took a few minutes to connect back and were pretty unstable. After getting the user, I changed to using meterpreter but the speed wasn’t much better.

I did that. I can run sqlplus but msfconsole still spits:

 Failed to load the OCI library: libmql1.so: cannot open shared object file: No such file or directory - /usr/local/lib/x86_64-linux-gnu/site_ruby/oci8lib_250.so

libmql1.so exists in /opt/oracle/client and the other does exist.

If you do as I do then you need to know that sudo msfconsole will not pick up the env - just su root and then run msfconsole.

It fixed the issue for me. So now I begin! I remember from a lifetime ago (before pentesting even existed) that a common hack for oracle was that DBSNMP never had its default password changed and of course it has high privs. I’ve just tried it and the account is locked :confused: What is the world coming to. Like you can’t trust anyone anymore.

This box is kicking my ■■■. I managed to find a stand-alone version of the tool that everyone is having trouble installing (PM me if you want the link), so I’ve been able to run that.

Without inadvertently giving away anything that might be a spoiler, I tried setting up a listener and joining the group, but there doesn’t seem to be traffic hitting that service so I got nothing, so that may have been a rabbit hole. I scanned for SIDs, found some. I found an interesting article that might let me take advantage of other open ports on the box through the main service, but I need creds. I left “the tool” iterating through credentials but came up dry. I tried adding the extra switches to the tool’s password guesser, and it ran for several hours before someone reset the box - and I didn’t get any creds in that time.

I’m having trouble even getting a foothold on this one, can someone help nudge me in the right direction?

@bonjourpancake said:
Anyone actually got odat running on Kali?
Followed the instructions to the tee but the executables won’t launch for some reason (even with 11.2)

I followed instructions on http://seclist.us (using 11.2) and it looks like working well

If you are trying to get the initial foothold and have checked user’s privileges (and using odat). I would recommend to check a different “type” of privilege that you can get, not just session. Look into different type of roles

I need some hint, currently got creds for a user and inside the DB. But how to i get escalate or get initial foothold. Given that my priv is not admin.

Is it normal that I can’t download the dropbox file with the given password ?

Not sure, about the first step. My 65535 scan is not terminating. My fast scan just shows 80, 445 and some rpc. SMB does not seem to be vulnerable. Port 80 does not give me any websites. You are talking about oracle, but I don’t find anything interesting here

Really struggling to get a a foothold on this box. Have 2 valid SID’s, cant get any further with either Metasploit or ODAT. Literally stuck for ideas. Any hints or PM’s would be appreciated.

@Cli3nt said:
Not sure, about the first step. My 65535 scan is not terminating. My fast scan just shows 80, 445 and some rpc. SMB does not seem to be vulnerable. Port 80 does not give me any websites. You are talking about oracle, but I don’t find anything interesting here

You need to scan again. It could be that people are resetting the box mid scan. You can be fairly confident that you’ve missed some ports here.

I’ve tried odat for cracking and scalate and it doesn’t work for me. So i don’t know what to do right now.

Looks like the file is filtering some extensions and I have no idea about how to exploit the vuln. Somebody can give me a hand ?

Rooted this earlier. Half the battle was getting odat to work. Anyone using it for password guessing, it doesn’t work! The switch it says to use for uppercase and lowercase doesn’t do as it says.

The first shell I popped got me root, so I missed out on a fun privesc. I’ve been told to go back and look at for the learning experience.

Hi, I am having trouble progressing using the odat tool. I have installed the standalone version and have identified a valid sid, but havent managed to enumerate users nor find more detailed guides other than the wiki. Any pointers?