Hack the Box: Silo Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Silo” which is available online for those who want to increase their skill in penetration testing and black box testing. Silo is retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on victim’s machine.

Steps involved:

  1. Post scanning to discover open ports
  2. SID brute force
  3. Credential brute force
  4. Create payload
  5. Setup listener
  6. Upload shell with odat.py
  7. Getting meterpreter shell
  8. Finding user.txt
  9. Downloading zip file from dropbox
  10. Finding password hashes in memory dump
  11. Privilege escalation using pass the hash technique
  12. Finding root.txt

Since these labs are online available therefore they have static IP and IP of sense is 10.10.10.82 so let’s begin with nmap port enumeration.

From given below image, you can observe we find only port 80, 135, 139, 445, 1521, 49152-49161 is open on target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find that it contains the default IIS page.

We have oracle database listening remotely on port 1521, we need to find the valid SID and credentials in order to connect to the database.

We first need to get the SID for the oracle service, so we use metasploit to brute force the valid SID.

After finding the SID, we brute force the valid credentials using metasploit.

 

We are unable to get a shell with reverse_tcp, so we use reverse_https payload. We create a 64-bit payload as the nmap scan shows us that the Operating system is 64-bit windows server.

We setup our listener before upload the payload to the target machine.

 

We use this script called odat to further exploit the oracle database(you can download the script here). As we have the valid credentials and the valid SID we use this to login into the database and upload our asp shell in IIS default directory.

As soon as we run the shell on the target machine, we get a reverse shell.

Enumerating through the directories we find two files in “C:\Users\Phineas\Desktop” called “user.txt” and “Oracle issue.txt”. We take a look at the content of user.txt and find our first flag.

We take a look at the content of “Oracle issue.txt” and find a link to a dropbox and a password in which the first char is not being rendered by kali linux.

We find the unrecognized character to be the pound symbol (£). We use the password to login and find a zip file, we download the file into our system.

After downloading the zip file, we unzip it and find that it contains a memory dump. We use volatility tool to investigate the dump.

We now can dump the hashes by supplying the need address which is SYSTEM and SAM.

As we have the password hash for “Administrator” we use Pass the Hash technique to get a privileged shell.

After getting a privileged shell, inside “C:\Users\Administrator\Desktop” we find a file called root.txt. We open root.txt and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cyber security enthusiast. Contact Here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply

Your email address will not be published. Required fields are marked *