Introduction
Silo is a machine on the HackTheBox.
Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.
This article will show how to hack Silo box and get user.txt and root.txt.
Collection
First, we scan the Silo box open ports and see if there are some services are weak.
There are a lots of ports open. Let’s try it one by one.
Hack the Silo Box
Hack the Silo box http service
The HTTP server is running on this box, so let’s start on this service first. Open browser, and visit website.
The webpage is a default IIS Webpage. So, I am assuming that it is not the correct way. But, just in case, we use dirb to enumerate and see what can we find.
Unluckily, we did not find anything. So, let’s move on the next service.
Hack 135, 139 & 445 ports
For hacking these services, we can use metasploit. But, After my testing, there is no vulnerability on these services. So, the correct way should be Oracle Database.
Hack the Oracle Database
I had been working around 3 years as a database & system Administrator. So, I knew where is the weakness of a database. For hacking Oracle database, we are using this tool: ODat
You will spend few hours to install this tool on your Kali Linux. But, after install this tool. Everything is easy. (In this article, I will not show you how to install it, because there are too many tutorials to show how to install it)
After install ODat, the next step is, we need to find which user is using default or weak credentials. This is the List of Oracle default credentials.
After testing, we can find a default credential:
Username: scott
Password: tiger
Then, we run command to get root.txt:
./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba
Get User.txt is a little bit difficult. First, we need to write a bat script to list users folder to figure out the username.
We create a new file, name is 1.bat, and the content is:
Then, we use command to upload the file and run the script.
./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba
Then, we ran the command to get the user folder list, and we got the username:
./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec "dir C:/" 1.bat --sysdba
Ha, we got the user name “Phineas”. Then, we can run the same command to get the user.txt. (The command is similar with read root.txt, just need to change the location to C:/Users/Phineas/Desktop/user.txt)
Summary
Generally, this box is easy. What you need to do is that spent few hours to install ODat on your Kali Linux. I spent around 2 hours to install this tool. Then, spent 10 mins to root this box. The difficulty of this box should around 5. (4 is for install ODat tool + 1 is for root this box).
There is my another write up of Aragog Box.