IP : 10.10.10.16
OS – Linux
VM Author: ch4p
Writeup Author: Teck_K2
Port 80 is open, Let’s access the web page
By accessing the web I got to know that the target machine is using October CMS which is an open source self-hosted CMS platform based on the Laravel PHP framework.
In the account section we can Signup and access the app but it is of no use.
Now run the dirb and nikto tool and google some available exploit on October CMS
Unfortunately I coundn’t find anything useful in the google and Nikto result but I found something useful.
But In the Dirb result I found something useful which is /backend page with code:302 which means it will redirect us to somewhere else. Let’s open this in the browser.
By accessing the link I got redirected to the Administrative area.
Now we have the login page in front of us, we can do bruteforce attack, SQL-injection, etc..
Let’s try some manual brute-forcing.
Let’s try with (admin:password)
It’s showing us the error that the username is correct but the password is wrong, Now we know the user name is admin.
Let’s try another attempt
This time let’s try admin amdin
Haha We are lucky we got the admin access, now try to find a way where we can upload something.
In the media section we can upload our file, Now generate a php payload using Msfvenom, as the OctoberCMS is using PHP5,So we will need to generate a PHP5 meterpreter payload.
Now setup our listener
Now upload the file which we generated, after uploading you will see the upload complete pop up.
Now locate the file we uploaded and click on it.
Now, as soon you click on the Public URL you will see that we are connected to the server and got the meterpreter session open.
By using the sysinfo and getuid command we can check the the kernal version and the username
By navigating to the /home directory we got to know that there is a user called harry
We got the user flag.
But we still don’t have access to /root directory
We need to escalate our privilege from user to root.
By checking for the SUID permissions, I found a file which has root access which is under
/usr/bin/local/ the file name is ovrflw, to going by the name we can figure out the file has something to do with buffer overflow. let’s download it using download command in meterpreter and let’s check what’s in the file.
By doing the File command we got to know that the file is Elf 32 based LSB executable
Now we need to exploit it using gdb or gdb-peda
Now if you have run doing the source command which is mentioned in the github site but facing some problem like this
This is because the gdb can’t find file location you specified.
You can just copy the peda-master folder to the /root directory and type
echo “source ~/peda/peda.py” >> ~/.gdbinit
Now try to run that file you will see it’s now gdb-peda
Now try to find our EIP and exploit it
First we need to check which type of security is implemented in this file
By doing aslr and checksec command we got to know that the aslr is off and NX is ENABLED
If you want to learn about what is NX and RELRO then refer to these links
Now by doing pdisass main command, it dumped the assembler code, the main thing to notice is that it has strcpy in it which Copies the C string pointed by source into the array pointed by destination, including the terminating null character (and stopping at that point). Which will be very useful for us by pointing out and jump to our shellcode.
Now create a patter of 200 and paste it in pset arg and cross check with pshow arg
Now just type r it will run and inject the pattern which we created and it will give the breakpoint note down that. 0x41384141
Now search for the pattern offset and then run the search pattern command it will show us offset of EBP and ESP
Now we know The offset is (112)
No let’s try to exploit it on our local machine first
First start the and debug the file in our local machine
Now break the program at main and run then print the system address
As we know the ASLR is off in this file, or we can verify it by running it again and check the system address again if the address is different then we would know that it has ASLR enabled let’s check.
As you can see when run the program 2 times and the system address is same that’s how we can verify that it has no ASLR, now let’s try to get shell from it.
First we will find a same patter address which can be used with both libc_system and /bin/sh,
We need to find bin/sh address because that will point our system address to /bin/sh to get a shell, So try this
As you can see we got a matching pattern, let’s examine this.
As you can see by examining that particular address we got the output of “/bin/sh”
you can see this is the correct address to access “/bin/sh”
Now we will run a simple python command if successful then we will jump to the shell.
So let’s figure out how to perform this step,
First we will print our offset with “A” as we know the off set is 112 we will multiply offset with ”A”,
Now we will add the system address in little endian style, then we will add 4 bytes of NOP slat, and then the address we found which will point our system to “/bin/sh”
After running this program type c and enter if we are lucky we will get the shell.
As you can see we got our shell, but this would be not so easy attacking the victim machine because the file in the server has ASLR on + NX + Relro partial. If you don’t know about any of these security features I recommend to google and learn about this,
Let’s discus how can we exploit the target machine and get the root shell.
First connect to the server and get the shell then open up the file using gdb.
Break the program in main then run, and then check the system address.
Now find the “/bin/sh” address like we did earlier
Now get the print the exit address
Now note down all the three address (System, Exit and “/bin/sh” ).
As we have all the required address, now we need to run a python, syntax comprises of our 3 address,
As you can see first we will print the 112 “A” which is our offset, then we will write our required address in little endian style, So first four address would be our System address, Then next four address would be our Exit address, And in the last we have our “/bin/sh” address.
So what we are gonna do using this simple Python syntax is that we will try to brute-force and run the program, again and again using a while loop, until it matches our system and exit address, once both the address match with our address, the program will give us a shell.
After running for 5 min, I got the root shell, In your case, it might take few more minutes or maybe it would give you shell within 2 min because it’s changed address randomly.
Now navigate to the root folder and cat the flag.
~Enjoy Hacking and stay NOOB