HTB Academy - FOOTPRINTING - Oracle TNS

Hello all,

I am currently working through the Footprinting academy module and have gotten stuck on the Oracle TNS section. I am stuck on how to answer the following question -

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

  1. I have successfully enumerated the SID XE of the database using NMAP -
    sudo nmap -p1521 -sV 10.129.x.x --open --script oracle-sid-brute

  2. After that I tried enumerating with odatpy to get some more information, looking for credentials -
    ./odat.py passwordguesser -p 1521 -d XE -s 10.129.x.x
    ./odat.py all -s 10.129.x.x -p 1521 -d XE
    Both of these come back with no further information.

  3. From there I tried signing in using some default usernames and passwords with sqlplus
    sqlplus scott/tiger@10.129.x.x/XE;
    sqlplus DBSNMP/DBSNMP@10.129.x.x/XE;
    Any combination I have tried here has not been able to authenticate.

Does anyone have any ideas on what I can try next? I am not looking for an answer, more just a nudge in the right direction.

After a brief discussion on the HTB discord I was was able to resolve this. Here are the steps I took to get the right answer.

  1. First, I disconnected my UDP VPN and connected to a TCP one. This made odat run noticeably more efficient.
  2. I then ran odat again and enumerated further. This takes some time, so be patient.

With just that, and the notes within the module itself, one should be able to get the answer to the question.

1 Like

For me the setup script provided in the module didn’t work 100%. odat.py works fine, but the sqlplus tool errors out.

Here is a workaround to connect to the database, in case sqlplus errors out with sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory for you too.

The workaround is to use DBeaver - it comes preinstalled with Parrot OS (the Pwnbox’s underlying OS). If you’re using something else, feel free to install it (you can probably use other SQL GUIs or CLIs too). Create a new connection with the target box’s IP, the port will be prefilled. Enter the username and password you discovered through odat and the db’s name. Then select the “Connect as:” dropdown and click on “SYSDBA”. Click “Test connection” - if everything was input correctly and the server is running you should be able to save the connection and execute queries, if not, double-check the inputted values and try again.

The rest is the same, run the query and get the password hash.

P.S Forgot to mention that DBeaver does not come preinstalled with drivers to connect to Oracle DB, so you will be prompted to install them. A link to the required .jar file is provided by Dbeaver. Only 1 jar file is required and it’s usually at the top of the page.

4 Likes

sqlplus: error while loading shared libraries: libsqlplus.so: cannot open shared object file: No such file or directory

source /etc/profile.d/oracle.sh
content should look like below:

ORACLE_HOME=/usr/lib/oracle/$(version)/client64
PATH=$ORACLE_HOME/bin:$PATH
LD_LIBRARY_PATH=$ORACLE_HOME/lib
export ORACLE_HOME
export LD_LIBRARY_PATH
export PATH
1 Like

Want to thank you for this! Good solution and it helped me learn a new tool!

i’m having issues. so i followed the lecture instructions. uploaded the bash script. the /etc/profile.d/ exits but the oracle.sh file doesn’t i tried making the file myself with the above script but that didn’t work for me. any hints on what i should try next ?

do you have a video on how to configure this ?

Hey everyone, so after some google searching, to fix the error above use this command.

sudo sh -c "echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf";sudo ldconfig

this works perfectly fine and you can follow the instructions as is after

2 Likes

i logged in with the scott/tiger but i can not find the password hash for the DBSNMP user. any help?
select password from all_users where username = 'DBSNMP';
will not return password hash.

Actually they provide solution to fix error within the information in module:
sudo sh -c “echo /usr/lib/oracle/12.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf”;sudo ldconfig
note that you may have different version of oracle and it could look like:
sudo sh -c “echo /usr/lib/oracle/19.6/client64/lib > /etc/ld.so.conf.d/oracle-instantclient.conf”;sudo ldconfig
since I did not have the error on my main box, had to install fresh and can confirm that it indeed solved the problem on kali.

Hey, let me know if you have cracked it. I am stuck in the same place it is showing an error saying sys.user$ table not exist

I just solved it, need to login as sysdba

This is not part of the task, but I was able to get a shell on the system ;D

2 Likes

Tip was stuck for ages make sure using correct syntax when logging in as for me was wrong in the academy - sqlplus username/password@target ip/SID ‘as sysdba’;

1 Like

How can I know the version number of Oracle? Can you tell me? Thank you.

I understand now : sqlplus --version This command can view the version number

If anyone is still having issues with this - I was stuck for a while as well. Feel free to DM me. Note that literally every command you need is in the lesson. Follow it closely and use PWNBOX for this one. Using a local VM is a pain in the ■■■. Also if you do have to use a VM switch your VPN profile to TCP.

This worked perfectly. Thank you :smiley:

Hey bro help me in this module

Worked for me too. What a pain, but I guess this is how it goes. Thank you so much! :grinning: