Sunday, March 31, 2019



- Layout for this exercise:


-  The goal of this exercise is to develop a hacking process for the vulnerable machine Silo, what is a retired machine from the Hack the Box pentesting platform:


- Silo's IP is

- Scanning with Nmap:

- So we have a Windows machine running the database Oracle listening on ports 1521 and 49161, and also IIS at port 80.

- Metasploit helps with the module sid_brute to bruteforce the Oracle SID's to connect to the database:

- The ODAT (Oracle Database Attacking Tool) yields similar result when guessing the SID's:

- Along this exercise I will be using the standalone version for ODAT.

- Also, we know that default credentials for Oracle are scott:tiger, as explained here:


Msfvenom helps to create an .aspx backdoor:

- ODAT uploads backdoor.aspx at Silo's web root directory:

- Starting a listening session:

- Running backdoor.aspx from the browser:

- The consequence is a low privileged Meterpreter session:

- Also, we can spawn a shell:

- Going to Phineas user's Desktop there are two interesting files: user.txt and Oracle issue.txt:


- Reading user.txt:


- There are different ways of getting a remote root shell, let's see two of them.

5.1 - Uploading and running a backdoor with Odat

- Let's create now an executable backdoor.exe with Msfvenom:

- Copying backdoor.exe to Odat's working directory:

- Odat's utlfile --putFile option uploads the executable to Silo's C:/

- Setting a listening session:

- Running backdoor.exe with Odat's option externaltable --exec:

- Once backdoor.exe is executed we get a root Meterpreter session:

5.2 - Pass The Hash (PTH)

- First, we need to get the credential hashes with Volatility.

- Reading the text file Oracle issue.txt we find a link to Dropbox and an associated password:

- However the first character of the password needs to be found:

- Backgrounding the shell and going back to the Meterpreter session we can download the Oracle issue.txt text file to Kali:

- Opening with gedit, now  the 1st character of the password is clear:

- Using the password there is access to the Dropbox link:

- We find a Memory Dump for Silo:

- Saving the file:

- Unzipping twice:

- Finally we get a .dmp file:

- The forensics tool Volatility can help to read the dump content:

- Some options for Volatility:

- Getting virtual addresses for some files:

- Actually, adresses of SYSTEM and SAM are of our greatest interest:

- Hashdumping to a text file:

- Finally, we can read the hashes for 3 of the users, Administrator, Guest, Phineas:

Pass The Hash (PTH) is a hacking technique that allows an attacker to authenticate to a remote server or service by using the underlying NTLM or LM hash of a user's password, instead of requiring the associated plaintext password as is normally the case.

- We will use Pass The Hash (PTH) in two ways , the first using the Metasploit module psexec, the second using pth-winexe:

5.2.1 - Pash the Hash (PTH) with Metasploit psexec

- The psexec module can be used to obtain access to a given system when credentials like username and password hash are known:

5.2.2 - Pash the Hash (PTH) with pth-winexe

- pth-winexe is a patched version of winexe that can be used to get a remote shell by just providing the username and the hash of the password, so no cleartext password is needed:

- Also, passing the username and hashed password on the command-line:


- Reading root.txt: