Silo Box Writeup & Walkthrough – [HTB] – HackTheBox

This article shows how to hack Silo box and obtain both user.txt and root.txt by using Kali Linux.

Silo is a machine on the HackTheBox Platform.

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. It contains several challenges that are constantly updated.

This article shows how to hack Silo box and gain user.txt and root.txt.

First, I execute the following command to scan the Silo box IP address to obtain open ports and see if there are any weak services.

1
nmap -sS -Pn 10.10.10.82

ScanPorts
Ports Scan

As the screenshot shown above, there are several open ports. I then go to check them one by one.

The HTTP service (IIS) is running on the box, and I start on this service first. Open browser, and then navigate to the website (http://10.10.10.82).

IIS-Service
IIS-Service

The webpage is a default IIS Webpage. I assume that the web service is just a rabbit hole, however, just in case, I use dirb to enumerate the web folder and see what I can find.

Enum-Web-Folder
Enum-Web-Folder

Unluckily, I do not find anything interesting. Therefore, I move to the next service.

For attacking these services, I use metasploit, but, after my testing, there is no vulnerability on these services. It is another rabbit hole. I then move to the Oracle Database.

For hacking Oracle database, I use this tool: ODat

You may have to spend few hours for installing this tool on your Kali Linux. However, after installed it, everything would be easy.

After installed ODat, the next step is that I need to obtain a valid credential. There are some Oracle Database default credentials.

Silo Oracle Default Credentials
Silo Oracle Default Credentials

After verifying, I obtain a valid default credential:

Oracle Database Credential

Username: scott

Password: tiger

Then, I run the following command to obtain root.txt:

1
2
3
./odat.py externaltable -s 10.10.10.82 -d XE -U scott \
-P tiger --getFile "c:/Users/Administrator/Desktop" \
"root.txt" "spz.io" --sysdba
Silo Root Flag
Silo Root Flag

Get User.txt is a little difficult. First, I need to write a bat script to list users folder to figure out the username. (Another way is to run command net user to identify username)

I create a new file, name is 1.bat, and then insert the following content:

dir /a c:\users\

Silo 1.bat file
Silo 1.bat file

Then, we use the following command to upload the file and run the bat script.

1
2
3
./odat.py dbmsxslprocessor -s 10.10.10.82 \
-d XE -U scott -P tiger \
--putFile "c:/" 1.bat /root/Desktop/1.bat --sysdba

Then, we ran the command to get the list of user folder, and we got the username:

1
2
3
./odat.py externaltable -s 10.10.10.82 \
-d XE -U scott -P tiger --exec "dir C:/" \
1.bat --sysdba

Silo Box Local User’s UserName
Silo Box Local User’s UserName

Yay! I obtain the username “Phineas”. Then, I can use the same way to get the user.txt. (The command is similar with reading root.txt, just need to change the location to C:/Users/Phineas/Desktop/user.txt)

Silo Box user.txt
Silo Box user.txt

In general, it is an easy. The most difficult part is to install ODat and understand/learn some basic knowledge regarding the Oracle Database. Then, I spent a few hours to install the tool and just spent about 10 mins to root it. 

There is my another write-up of Aragog Box.