Oracle is running so enumerate the users
Download odat to exploit the database
git clone https://github.com/quentinhardy/odat.git
Database is using the default credentials scott\tiger
Set up a meterpreter listener on port 443 (https)
Generate a reverse meterpreter https shell, install ruby dependencies (annoying) and upload your shell.
Now you have a shell, no local privescs work.
Looking in the users desk op directory we found:
Had some weird encoding issues so could not open the link, later found out it was a ‘£’
Testing out the service I saw it was running with system privileges
Elevate to system user with odat and upload a shell to the admins desktop and execute it.
Now you have a system shell.