Silo machine is a vulnerable machine with Windows operating system among retired machines. By using these vulnerabilities, user and rootflags must be obtained.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-298.png)
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-299.png)
Full Port Scan
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-300.png)
As a result of the port scan, we came across open ports, the most striking of these ports were the following.
80/tcp http Microsoft IIS httpd 8.5, 135/tcpmsrpcMicrosoft Windows RPC, 139/tcpnetbios-ssn Microsoft Windows netbios-ssn, 445/tcpmicrosoft-ds Microsoft Windows Server 2008 R2 – 2012 microsoft-ds, 1521/tcporacle-tnsOracle TNS listener 11.2.0.2.0, 8080/tcp http Oracle XML DB Enterprise Edition httpd
we provide enumeration to these ports.
We provided enumeration on the SMB port, we did not get any information
On port 80, we provided enumeration and file/directory scanning and we did not get any results.
(the steps are not included in order not to lengthen the blog post)
We provide enumeration against Oracle TNS listener port which is port 1521.
https://book.hacktricks.xyz/network-services-pentesting/1521-1522-1529-pentesting-oracle-listener
with the help of the address.
First, let’s scan with nmap to see if there is a vulnerability or not
└─# nmap –script +oracle-sid-brute -p 1521 10.10.10.10.82 -v
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-301.png)
Then we provide buteforce to find the SID value with odat.
After obtaining XE we passowrdebruteforce
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-302.png)
We identified the user scott/tiger and investigated how to getrevershella using this user.
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-303.png)
Here we understand that we can upload using the dbmsxslprocessor helper parameter.
Let’s create an exepayload with msfvenom and upload it to the target machine
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-304.png)
We add the payload we created
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-305.png)
It said we were not allowed to add it here. When we added the -sysdba parameter, it allowed us.
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-306.png)
Now we will run this payload, before running this payload we will revershell it with nc
odatexternaltable -s 10.10.10.10.82 -U scott -P tiger -d XE –exec /temp shell.exe -sysdba
obtained the payload using the command
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-307.png)
As you can see, we got our shell.
In this way, we have obtained both user and rootflagi in the shellsystem user
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-308.png)
![](https://www.muhammedaygun.com/wp-content/uploads/2023/11/image-309.png)