Silo

So this one is fun, but I’m having trouble finding any good footholds. I’m enumerating the usual suspects, but either my lists are bad or I’m missing something obvious. Any nudges?

@GMTao said:
So this one is fun, but I’m having trouble finding any good footholds. I’m enumerating the usual suspects, but either my lists are bad or I’m missing something obvious. Any nudges?

nmap is enough

I can’t get the brute script to do anything??

stuck as well. Any hint for initial foothold?

@grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool). I recommend you to use the standalone version.

@ompamo said:
@grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool). I recommend you to use the standalone version.

I’ve tried the odat script and can’t quite get it to work to my advantage. Anyone have a tip for me? A PM always works if you fear you will spoil here…

You can live without the odat script. I didn’t use it.

i know three paths to get root.txt, i dont know if the others is intenional

Interesting. I only took one path to root.txt that was rather obvious and certainly intentional :slight_smile:

Any hints on getting a foothold on the box? I tried a bunch of exploits against the O service but not getting anywhere…

I finished it a couple of days ago so if you need nudge, hit me up on mattermost.

I would recommend exploring the configuration and setup from available meta tables and other meta structures instead of trying some sort of automated pwn exploit. Plenty of information in the net available.

@spade you are correct there are some different ways to get root. The “path way” to root will be through many doors where each lock has some weakness, but there’s a window to root you can jump.

I have gotten questions regarding this machine. These resources might be useful if you want to understand the Oracle DB security:

https://www.techonthenet.com/oracle/sys_tables/index.php
http://www.petefinnigan.com/orasec.htm

@lokori said:
I have gotten questions regarding this machine. These resources might be useful if you want to understand the Oracle DB security:

Oracle / PLSQL: Oracle System Tables
Oracle Security papers

Sorry man! I am just getting stuck big time. Can you/someone give me a more obvious hint? I only got to the database with the low privilege user. I am thinking privilege esc to DBA then get shell access?

@NinjaRockstar said:

@ompamo said:
@grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (GitHub - quentinhardy/odat: ODAT: Oracle Database Attacking Tool). I recommend you to use the standalone version.

I’ve tried the odat script and can’t quite get it to work to my advantage. Anyone have a tip for me? A PM always works if you fear you will spoil here…

you are using the right tool, if nothing work, check your user role.

@grd said:
stuck as well. Any hint for initial foothold?

Hint can be found in this forum

@diopter said:

@grd said:
stuck as well. Any hint for initial foothold?

Hint can be found in this forum

Wish I could see the hint, lol. I’m using the right tool apparently, but just maybe not correctly? If anyone has any further tips please PM me. Otherwise, I’ll move on to another box for now. Frustrating… :slight_smile:

As a general note, if the low level user was granted DBA rights, that would be awesome for the hacker. But that would spoil the fun for all other hackers who log in with that user, because there would be no challenge after the user is already a DBA.

Hep needed. I read tones of resources about Oracle,TNS,etc. I tried to make bruteforce with nmap with no success and I used odat with no success too. Please PM in order to get any good direction, no spoilers