Silo Box Writeup & Walkthrough – [HTB] – HackTheBox

This article demonstrates how to hack the Silo box and retrieve both user.txt and root.txt using Kali Linux.

Silo is a machine featured on the Hack The Box platform. Hack The Box is an online platform that allows you to test your penetration testing skills and exchange ideas and methodologies with others who share similar interests. The platform is regularly updated with new challenges.

Initially, I executed the following command to scan the IP address of the Silo box to identify open ports and potential vulnerabilities:

1
nmap -sS -Pn 10.10.10.82

Ports Scan
Scan Ports

As illustrated in the screenshot above, several ports are open. I checked each one individually.

The HTTP service (IIS) is active on the box. I began by navigating to the website: http://10.10.10.82.

IIS Service
IIS Service

The webpage displayed a default IIS webpage. Suspecting it might be a distraction, I nonetheless used dirb to probe the web folder.

Web Folder Enumeration
Web Folder Enumeration

Unfortunately, this did not yield any useful findings, prompting me to investigate other services.

I utilized Metasploit to test these services but found no vulnerabilities—another dead end. Consequently, I turned my attention to the Oracle Database.

I used the tool ODat on Kali Linux, which took a few hours to install. Once installed, the process was straightforward.

After trying various default Oracle Database credentials, I succeeded with one:

Oracle Database Credential

Username: scott

Password: tiger

I then executed the following command to retrieve root.txt:

1
2
3
./odat.py externaltable -s 10.10.10.82 -d XE -U scott \
-P tiger --getFile "c:/Users/Administrator/Desktop" \
"root.txt" "spz.io" --sysdba

Silo Root Flag
Silo Root Flag

Retrieving User.txt was slightly more challenging. First, I wrote a batch script to list user folders to determine the username.

I created a file named 1.bat with the following content:

dir /a c:\users\

Silo 1.bat file
Silo 1.bat file

I then uploaded and executed the batch script using this command:

1
2
3
./odat.py dbmsxslprocessor -s 10.10.10.82 \
-d XE -U scott -P tiger \
--putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba

The script provided the username “Phineas.”

1
2
3
./odat.py externaltable -s 10.10.10.82 \
-d XE -U scott -P tiger --exec "dir C:/" \
1.bat --sysdba

Silo Box Local User’s UserName
Silo Box Local User's UserName

I then used a similar method to obtain user.txt from Phineas’s desktop.

Silo Box user.txt
Silo Box user.txt

Overall, the hack was straightforward once ODat was installed. Learning some basic Oracle Database operations was the most challenging aspect. Installation took a few hours, but the actual hacking process was completed in about 10 minutes.

For more insights, check out my write-up on the Aragog Box.