Description:
we are investigating an illegal online gambling site. To find any evidence to support for illegal gambling, we must access the oracle database with administrator privileges. The suspect says that he does not know the administrator password, but we know for sure that he is lying.
The password is estimated to be longer than 8 characters. However, we don’t have enough time to apply a brute-force attack. In order to request an arrest warrant, we must find the evidence of illegal gambling before the YUT-Challenge is over.
By using social engineering, we were able to find various data about the suspect. By analyzing the data, the suspect always include last four digits(‘1024’) of his phone number in his password. Hence, we may assume that his phone number is included in the administrator password for the database.
The given file is the dump file of sys.user$ table in oracle database. (The data file of system tablespace is too big to upload.)
Find the password of ‘SYSTEM’ account.
Summary: bruteforce with John the Ripper
We are given a part of password, so we consider the task to be a brute-forcing challenge. Let’s first get the ecnrypted passwords. If we do strings on the file, we’ll see that hashes look like
S:1DD713366F74C3C50EE788472C538B30E96E1D993253573202667D1462BC
and the SYSTEM‘s hash is:
S:26D848B7ED72F141CF31DDD137DD70C4839FEA45A78230C3977D6895936F
So, let’s use John the Ripper to crack them:
notice: I am trying to crack all hashes – there can be a hint, and it isn’t much slower
$ strings task.db | grep -E "^S:" >hashes.txt $ ./john-1.7.6-jumbo-12/run/john hashes.txt Loaded 41 password hashes with 41 different salts (Oracle 11g [oracle11]) s (S) tiger (S) dip (S) march (S) ^C $ cat ./john-1.7.6-jumbo-12/run/john.pot EDD08A386D961B35E097E9153DF2CACA69E3CCFE22DD64218AF9433DAAA1:s 45184B84D44775C31633B8DF0DC5DE2C5153E23F21A2EB73B44881843220:tiger 51C0606CD08192EF543678519467E3320A44603F68E04BF2D6C97B881FA7:dip EA094B23FE444D11C230C341F7BD7D250907647C84B6F0334D4FB52A1901:march
Ok, we found some simple password (unluckily they don’t belong to SYSTEM, hehe), and now we know type of passwords: oracle11
Now there are two ways – generate our own dictionary for John, or modify it to add “1024” to each password. The first way is much easier, so we’ll use it. Here is a small script to generate passwords:
#!/usr/bin/env python #-*- coding:utf-8 -*- import sys import string from itertools import combinations_with_replacement alpha = "abcdefghijklmnopqrstuvwxyz_.-!@#$%^&*()+=[]{};:'\"\\,./?><" MAXLEN = 10 f = sys.stdout # open("mydict.txt", "w", 4096 * 4096) for strlen in xrange(MAXLEN + 1 - 4): for s in combinations_with_replacement(alpha, strlen): f.write("".join(s) + "1024\n") sys.stderr.write("length=%d done\n" % (strlen + 4))
Now, run john:
$ python2.7 gendict.py | ./john-1.7.6-jumbo-12/run/john --stdin hashes.txt Loaded 37 password hashes with 37 different salts (Oracle 11g [oracle11]) length=4 done length=5 done length=6 done jk_1024 (S) jk_1024 (S) jk_1024 (S) length=7 done jk##1024 (S) length=8 done Traceback (most recent call last): File "gendict.py", line 13, in <module> f.write("".join(s) + "1024\n") KeyboardInterrupt guesses: 4 time: 0:00:00:11 c/s: 1629K trying: adeo:1024 Session aborted
Nice, we have some passwords in 11 secs! Let’s check:
$ cat ./john-1.7.6-jumbo-12/run/john.pot EDD08A386D961B35E097E9153DF2CACA69E3CCFE22DD64218AF9433DAAA1:s 45184B84D44775C31633B8DF0DC5DE2C5153E23F21A2EB73B44881843220:tiger 51C0606CD08192EF543678519467E3320A44603F68E04BF2D6C97B881FA7:dip EA094B23FE444D11C230C341F7BD7D250907647C84B6F0334D4FB52A1901:march 71974569DA24DA8939C214C32138F06F9D0E33F97A7C5A72A601D78B0CCE:jk_1024 12ABB669E515B3516B234D95DF70C8EDC3530F5E2A4ECD58F529174D9857:jk_1024 1F7C9384AF8F0B497E0EAB09A0141D96012DC5FC5227DA6CEF7AEB0D423F:jk_1024 26D848B7ED72F141CF31DDD137DD70C4839FEA45A78230C3977D6895936F:jk##1024
Yesss, we have the right one!
The flag: jk##1024
