October Walkthrough HackTheBox

october

Name: October
IP : 10.10.10.16
OS – Linux

VM Author: ch4p
Writeup Author: Teck_K2
Nmap result
image1

Port 80 is open, Let’s access the web page

image2

By accessing the web I got to know that the target machine is using October CMS which is an open source self-hosted CMS platform based on the Laravel PHP framework.

In the account section we can Signup and access the app but it is of no use.
Now run the dirb and nikto tool and google some available exploit on October CMS
Unfortunately I coundn’t find anything useful in the google and Nikto result but I found something useful.

But In the Dirb result I found something useful which is /backend page with code:302 which means it will redirect us to somewhere else. Let’s open this in the browser.
image3

By accessing the link I got redirected to the Administrative area.
image4

Now we have the login page in front of us, we can do bruteforce attack, SQL-injection, etc..
Let’s try some manual brute-forcing.
Let’s try with (admin:password)
image5

It’s showing us the error that the username is correct but the password is wrong, Now we know the user name is admin.
Let’s try another attempt

This time let’s try admin amdin
Haha We are lucky we got the admin access, now try to find a way where we can upload something.
image6

In the media section we can upload our file, Now generate a php payload using Msfvenom, as the OctoberCMS is using PHP5,So we will need to generate a PHP5 meterpreter payload.
image7

Now setup our listener
image8

Now upload the file which we generated, after uploading you will see the upload complete pop up.
image9
Now locate the file we uploaded and click on it.
image10

Now, as soon you click on the Public URL you will see that we are connected to the server and got the meterpreter session open.
image11

By using the sysinfo and getuid command we can check the the kernal version and the username
image12

By navigating to the /home directory we got to know that there is a user called harry
image13

We got the user flag.
But we still don’t have access to /root directory
We need to escalate our privilege from user to root.

By checking for the SUID permissions, I found a file which has root access which is under
/usr/bin/local/ the file name is ovrflw, to going by the name we can figure out the file has something to do with buffer overflow. let’s download it using download command in meterpreter and let’s check what’s in the file.
By doing the File command we got to know that the file is Elf 32 based LSB executable
image14

Now we need to exploit it using gdb or gdb-peda

https://bitvijays.github.io/LFCBinaryExploitation.html

https://github.com/longld/peda

Now if you have run doing the source command which is mentioned in the github site but facing some problem like this

image15
This is because the gdb can’t find file location you specified.
You can just copy the peda-master folder to the /root directory and type
echo “source ~/peda/peda.py” >> ~/.gdbinit

Now try to run that file you will see it’s now gdb-peda
image16

Now try to find our EIP and exploit it
First we need to check which type of security is implemented in this file
image17

By doing aslr and checksec command we got to know that the aslr is off and NX is ENABLED
If you want to learn about what is NX and RELRO then refer to these links

https://en.wikipedia.org/wiki/NX_bit

http://tk-blog.blogspot.in/2009/02/relro-not-so-well-known-memory.html

http://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/

Now by doing pdisass main command, it dumped the assembler code, the main thing to notice is that it has strcpy in it which Copies the C string pointed by source into the array pointed by destination, including the terminating null character (and stopping at that point). Which will be very useful for us by pointing out and jump to our shellcode.
image18

Now create a patter of 200 and paste it in pset arg and cross check with pshow arg
image19

Now just type r it will run and inject the pattern which we created and it will give the breakpoint note down that. 0x41384141
image20

Now search for the pattern offset and then run the search pattern command it will show us offset of EBP and ESP

image21

Now we know The offset is (112)
No let’s try to exploit it on our local machine first
First start the and debug the file in our local machine
image22

Now break the  program at main and run then print the system address
image23

As we know the ASLR is off in this file, or we can verify it by running it again and check the system address again if the address is different then we would know that it has ASLR enabled let’s check.
image24

As you can see when run the program 2 times and the system address is same that’s how we can verify that it has no ASLR, now let’s try to get shell from it.
First we will find a same patter address which can be used with both libc_system and /bin/sh,
We need to find bin/sh address because that will point our system address to /bin/sh to get a shell, So try this
image25
As you can see we got a matching pattern, let’s examine this.

As you can see by examining that particular address  we got the output of “/bin/sh”

image26
As

you can see this is the correct address to access “/bin/sh”
Now we will run a simple python command if successful then we will jump to the shell.
image27

So let’s figure out how to perform this step,
First we  will print our offset with “A” as we know the off set is 112 we will multiply offset with ”A”,
Now we will add the system address in little endian style, then we will add 4 bytes of NOP slat, and then the address we found which will point our system to “/bin/sh”
After running this program type c and enter if we are lucky we will get the shell.
image28

As you can see we got our shell, but this would be not so easy attacking the victim machine because the file in the server has ASLR on + NX + Relro partial. If you don’t know about any of these security features I recommend to google and learn about this,

Let’s discus how can we exploit the target machine and get the root shell.
First connect to the server and get the shell then open up the file using gdb.
image29

Break the program in main then run, and then check the system address.
image30

Now find the “/bin/sh” address like we did earlier
image31

Now get the print the exit address
image32

Now note down all the three address (System, Exit and “/bin/sh” ).
As we have all the required address, now we need to run a python, syntax comprises of our 3 address,
image33

As you can see first we will print the 112 “A” which is our offset, then we will write our required address in little endian style, So first four address would be our System address, Then next four address would be our Exit address, And in the last we have our “/bin/sh” address.
So what we are gonna do using this simple Python syntax is that we will try to brute-force and run the program, again and again using a while loop, until it matches our system and exit address, once both the address match with our address, the program will give us a shell.

image34

image35

After running for 5 min, I got the root shell, In your case, it might take few more minutes or maybe it would give you shell within 2 min because it’s changed address randomly.
Now navigate to the root folder and cat the flag.

~Enjoy Hacking and stay NOOB

Source: TechK2