October | HackTheBox | Write-up

Hey guys! In this blog, we are going to pwn October from HackTheBox. Before we begin, let me give you a brief overview of what exactly we are going to do :

  1. First, we scan the box to find a laravel web application running October CMS.
  2. Then we go beyond the admin panel of the CMS after which we upload a php reverse shell.
  3. That will give us the access as a low privileged user.
  4. Then we escalate our privileges to root by a classic binary exploitation.

With that said, let us begin.

SCANNING :

A short and quick nmap scan reveals ports 22 and 80 to be open.

By the port numbers, as you might have guessed, we have OpenSSH 6.6.1p1 running on port 22 and Apache httpd 2.4.7 on port 80.

I do not think we need to know more than this in the scanning phase. Let us now move to enumeration.

ENUMERATING HTTP :

Since HTTP has a large attack vector, let us begin with that first.

By visiting the IP through the browser, we are greeted with the below page:

By the caption of the heading, we now know this is presented by October CMS. There are 3 sub-pages also shown in the navigation bar: Account, Blog and Forum.

Finding nothing interesting here, I decided to fuzz for some directories.

I am using wfuzz to fuzz with some common wordlists of dirb.

The backend directory looks juicy. Let us check what it has for us.

We are redirected to /backend/backend/auth/signin that is the admin login page for October CMS. I tried some common credentials that I usually try in such situations like :

admin:admin

admin:password

admin:october

root:root

root:password

root:october

However, luckily, the admin:admin worked and we are in.

EXPLOITATION :

If we enumerate a little more, we find an upload functionality in Media tab.

Now you know what exactly we have to do ;) Yup, let us upload a php reverse shell with .php5 extension (since there is a file with php5 extension, the box is probably accepting php5 extension files only).

As you can see, our shell is uploaded. Now we just need to set up a listener and trigger the shell by the link on the right panel.

We now have a shell as www-data. You can read the user flag from the user’s home directory.

PRIVILEGE ESCALATION :

Let us check for SUID set files.

Of all the files, the /usr/local/bin/ovrflw is odd.

The file is owned by root. This might be our way to root. Let us export it in our local box and play with it a bit.

TIME FOR BINARY EXPLOITATION :

With the binary being downloaded on my local box, let us start experimenting with it.

As you can see, when we run the binary with no command line arguments, it gives us the message to give one string as input. Next, we run again with a test string, but we see no visual response. However, if we give a sufficiently large input, it causes a segmentation fault, proving that there is indeed a buffer overflow.

Let us now examine the binary under GDB.

We load the binary in GDB and look for the security enabled in the binary. As you can see, the NX bit is disabled. So we can not put a shellcode and execute it from the stack.

In such cases,we can try another technique called ret-to-libc technique. In this, we redirect the execution by overwriting the return address to libc function like system() with argument ‘/bin/sh’ to obtain shell.

But for that, we need to find the offset to overwrite the return address. Let us do that first.

I have created a cyclic pattern of length 200 and provide it as CLI to the binary in GDB. The Segmentation Fault occurs at 0x62616164 (‘daab’).

With the EIP value, we determined the offset to be at 112.

Now its time to find the address for system, exit and /bin/sh in libc.

We used the ldd utility to find the address for libc shared library which is at 0xf7d3d000. Then we used readelf to get the offset for system, exit and /bin/sh from libc. However, that is just offset. The actual address would be :

<addr of libc> + <offset>

Now that we know the addresses, its time to build our fake function call.

This would take the form :

<112 A’s> + <system function addr> + <exit function addr> + <’/bin/sh’ string addr>

The return address is first overwritten with system function address so the control flows there, then exit function address is given as the new return address, next, the argument for system function is given which is ‘/bin/sh’.

Let us build the exploit and run it.

Wait! We are supposed to get a shell. Instead we got a segmentation fault. Let us debug that and find where exactly we went wrong.

When we again check the libc address, we find a different address from the one we found a few minutes ago. This indicates that the ASLR is on. We verified the same by checking for ASLR.

ASLR means Address Space Layout Randomization which is responsible for making the address of stack, heap, shared libraries and executables in the memory to be random.

Now, how we bypass that? One way is to run the binary in a while loop so that it increases the probability of our exploit to work. Let us try that out.

As you can see, we are successful to pop a shell.

Now, playtime on the local box is over. Let us do the same thing on the remote box.

And we succeeded to elevate our privileges to root. You can read the root flag now too.

So that was it for October box. I hope you liked the write-up.

Thanks for reading this far. I will see you in the next one. Peace.

Breaking things like a bàKà