Silo

So this one is fun, but I'm having trouble finding any good footholds. I'm enumerating the usual suspects, but either my lists are bad or I'm missing something obvious. Any nudges?

Tagged:
«134

Comments

  • @GMTao said:
    So this one is fun, but I'm having trouble finding any good footholds. I'm enumerating the usual suspects, but either my lists are bad or I'm missing something obvious. Any nudges?

    nmap is enough

    peek

  • I can't get the brute script to do anything??

    monkeychild

  • grdgrd
    edited April 2018

    stuck as well. Any hint for initial foothold?

    image

  • @grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (https://github.com/quentinhardy/odat). I recommend you to use the standalone version.

    ompamo

  • @ompamo said:
    @grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (https://github.com/quentinhardy/odat). I recommend you to use the standalone version.

    I've tried the odat script and can't quite get it to work to my advantage. Anyone have a tip for me? A PM always works if you fear you will spoil here...

  • You can live without the odat script. I didn't use it.

    lokori

  • i know three paths to get root.txt, i dont know if the others is intenional

    Hack The Box

  • Interesting. I only took one path to root.txt that was rather obvious and certainly intentional :)

    lokori

  • Any hints on getting a foothold on the box? I tried a bunch of exploits against the O service but not getting anywhere..

  • I finished it a couple of days ago so if you need nudge, hit me up on mattermost.

    image

  • I would recommend exploring the configuration and setup from available meta tables and other meta structures instead of trying some sort of automated pwn exploit. Plenty of information in the net available.

    lokori

  • @spade you are correct there are some different ways to get root. The "path way" to root will be through many doors where each lock has some weakness, but there's a window to root you can jump.

  • I have gotten questions regarding this machine. These resources might be useful if you want to understand the Oracle DB security:

    https://www.techonthenet.com/oracle/sys_tables/index.php
    http://www.petefinnigan.com/orasec.htm

    lokori

  • edited April 2018

    @lokori said:
    I have gotten questions regarding this machine. These resources might be useful if you want to understand the Oracle DB security:

    https://www.techonthenet.com/oracle/sys_tables/index.php
    http://www.petefinnigan.com/orasec.htm

    Sorry man! I am just getting stuck big time. Can you/someone give me a more obvious hint? I only got to the database with the low privilege user. I am thinking privilege esc to DBA then get shell access?

  • @NinjaRockstar said:

    @ompamo said:
    @grd msfconsole can help on enumeration if I remember well, and also the odat tool from Quentin Hardy (https://github.com/quentinhardy/odat). I recommend you to use the standalone version.

    I've tried the odat script and can't quite get it to work to my advantage. Anyone have a tip for me? A PM always works if you fear you will spoil here...

    you are using the right tool, if nothing work, check your user role.

  • @grd said:
    stuck as well. Any hint for initial foothold?

    Hint can be found in this forum

  • @diopter said:

    @grd said:
    stuck as well. Any hint for initial foothold?

    Hint can be found in this forum

    Wish I could see the hint, lol. I'm using the right tool apparently, but just maybe not correctly? If anyone has any further tips please PM me. Otherwise, I'll move on to another box for now. Frustrating... :)

  • As a general note, if the low level user was granted DBA rights, that would be awesome for the hacker. But that would spoil the fun for all other hackers who log in with that user, because there would be no challenge after the user is already a DBA.

    lokori

  • Hep needed. I read tones of resources about Oracle,TNS,etc. I tried to make bruteforce with nmap with no success and I used odat with no success too. Please PM in order to get any good direction, no spoilers

  • Hep needed too, any can pm me?

  • odat script is proving to be useless for me. no response from the server. any links for oracle DB exploitation ?

  • @hoboscientist said:
    odat script is proving to be useless for me. no response from the server. any links for oracle DB exploitation ?

    you really need to experiment a lot with this tool in order to get it to work for you.

  • Make sure you follow the guides that others posted on getting the proper libraries and files on your machine for your tools to work. 64 is the best. And enumerate. That will get you where you want to be.

  • Can you give me any hint for dropbox file?

  • @6h05t said:
    Can you give me any hint for dropbox file?

    You can use volatility tool on kali to analyze this file.

  • can you give me a password list to use as i tried defaults and rockyou list but no sucess :/
    i tested all the script on my local server and they are working perfectly but not this box :(

    Hack The Box

  • edited May 2018

    nevermind

    Hack The Box

  • edited May 2018

    After a few weeks of getting infuriated with random tools failing to acknowledge paths and ENV settings etc. Metasploit mods finally started to work but as expected, no pwnage with automated metasploit mods, its no fun that way anyway.

    I went the manual route, took only a few min and was much more satisfying. I used sqldeveloper, I decided to write sql and exploit manually. Fun box, cant really judge it bad because I found some of the exploit tools to be shit/way to temperamental to even bother to use.

    A great reminder that sometimes/often writing your own code is better in the long run. Now I just need to find the user.txt, the root one was easy lol

    Thumbs up to the developer of this box.

  • Do you have to do anything to the password for the drop service?

  • edited May 2018

    Spoiler Removed - Arrexel

Sign In to comment.