Today, we are going to perform a penetration test towards an Oracle database server.
If you want to practice doing the different activities that I will present during this tutorial, I invite you to check the machine Silo de HackTheBox.
Before starting I want to clarify that all my published content is done for educational, informative and ethical purposes.
I am not responsible for the misuse they may give you.
With this tutorial you will learn:
How to perform a simple port scan with Nmap.
How to perform a Brute Force attack to discover an Oracle TNS SID.
Learning to use ODAT - (Oracle Database Attack Tool)
How to attack a Oracle server with the Metasploit Framework
How to perform a Forensic analysis with Volatility
How to find password hashes in memory dump
How to perform a privilege escalation using pass the hash technique
As always we will start enumerating our victim, For this we will perform a simple scan with Nmap, in the following way.
With the result of the previous scan, we were able to appreciate that this server probably has Windows Server 2008 R2 and on the other hand it has port 80 (Microsoft IIS httpd 8.5) is enabled.
For this penetration test, we are going to focus on port 1521, which indicates to be an oracle-tns service.
SID brute force
To continue, we will audit this Oracle database with the ODAT tool. ODAT It is an open source penetration test tool designed to attack and audit the security of Oracle Database servers.
The following steps are:
Enumerate Oracle Database Version
Discover SIDs (Basically oracles version a unique “database instance”)
obtain a user account (likely through bruteforcing)
Exploitation / privesc as needed.
We can use ODAT’s siguesser to discover well:
Credential brute force
Based from the results, we identified four SIDs.
Next, we’ll need to identify valid credentials in order to authenticate to the database.
For this task, we can use a metasploit auxiliary module called oracle_login.
Alright! We found a valid credentials.
By the way, we can also figure this one out if we research for common default oracle credentials.
Valid credentials mean that we can connect to the XE instance and start querying the database for possible information. As it turns out, scott is also granted SYSBDA privilege. Think of it as something like sudo - it gives you extra flexibility and higher privileges in case you want to do some database altering, user administration and the list continues.
Oracle Database Penetration Testing
Now that we have a valid SID and credentials, we can connect to the database for manual enumeration.
For starters, we can query for user privileges and roles.
As you can see, scott is a low-privilege user on the system. In order for us to gain shell access, we might need to escalate our privilege to DBA first and perform some known Oracle attacks. In order to achieve this easily, we can use a tool called ODAT (Oracle Database Attack Tool). It is an open-source tool used to automate attacks on an Oracle DB.
Before we can use ODAT, we need to install it first in Kali. You can refer to this installation guide in order to install it successfully.
Using ODAT - (Oracle Database Attack Tool)
Initially, we will run all the ODAT modules on our victim server.
DBMS_XSLPROCESSOR library is enabled and therefore allows us to put any files onto the machine.
First, we’ll create a simple text file and check if we can successfully upload it to wwwroot.
As you can see, we can successfully upload the file. Let’s check using curl.
Now that we can upload on the target system, we can easily generate an ASPX reverse shell using msfvenom, upload it using ODAT, and trigger it to get shell access.
After uploading our shell, we will start the Metasploit framework and configure it to listen on the previously indicated ports.
It should be noted that after starting the exploit we must make a request to the http://10.10.10.82/shell.aspx
Ready, we have got a Shell and with it we can execute commands on the server.
As you can see, there’s a file named “Oracle issue.txt” in Desktop directory. This might contain a clue for our privilege escalation vector.
The text file mentions a memory dump. That’s a good sign for us, because there’s a high chance that that memory dump will contain valuable information. Many tools will analyze memory for us and pull out valuables like passwords. So it’s quite clear we need to do a bit of memory analysis.
After downloading the zip file, we unzip it and find that it contains a memory dump. We use volatility tool to investigate the dump.
Using Volatility to extract passwords
After downloading the memory dump, we can use volatility on it to perform forensics. Volatility is built-in to Kali so there’s no need to do further installation. If you’re not familiar with volatility, you can check out this cheatsheet from Volatility Foundation and this cheatsheet from SANS.
For the initial step, we would need to identify the OS version of the machine were the memory dump was taken in order for the volatility plugins to be accurate. Although we can simply issue a systeminfo command on our shell session, we can also identify this by using a volatility plugin called imageinfo.
One of the useful plugins that we can use in this situation is lsadump. The lsadump plugin dumps decrypted LSA secrets from the registry. This exposes information such as the default password (for systems with autologin enabled), RDP public keys, and credentials used by DPAPI.
As you can see from the results of lsadump, we were able to acquire a plain-text password DoNotH@ckMeBro!.
Since the SMB service is accessible through the network, we can use winexe to login via SMB.
Another way we could have escalated privileges is through the hivelist plugin.
We now can dump the hashes by supplying the need address which is SYSTEM and SAM.
Note: To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s
We could try to crack these, but first, let’s try pass the hash:
About the author:
Ethical Hacker - Developer
Cyber Security Analyst and also creator of the content published in this blog.