Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • October - 10.10.10.16
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Privilege Escalation:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

October

PreviousGrannyNextLazy

Last updated 6 years ago

October - 10.10.10.16

Target Enumeration:

OS: Linux

IP: 10.10.10.16

User: 29161ca87aa3d34929dc46efc40c89c0

Root: 6bcb9cff749c9318d2a6e71bbcf30318

Ports / Services / Software Versions Running

22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Vulnerability Exploited:

Weak password on CMS

Privilege Escalation:

Buffer overflow on /usr/local/bin/ovrflw

Exploiting the host:

Nmap

Dirb

Backend gives us a login page

Username enumeration gives us a user of admin so start burp and bruteforce the password with intruder.

Does not appear to be vulnerable to brute force so revert the box and try a stealthy approach.

Try common passwords such as password, october, admin etc.

Admin:admin gives you access to the CMS

Upload a php shell which will not work so rename it to shell.php5

Click on the public link and you will get a reverse shell

Checking suid files gives you:

The name suggests it is vulnerable to a buffer overflow. The machine has GDB installed but not peda so download the file locally to work on the buffer overflow.

Copy the file to /var/www/html/cms/storage/app/media

And download with wget locally

We will need peda to work on the buffer overflow:

echo "source ~/peda/peda.py" >> ~/.gdbinit

Check the security of the file

Strcpy is interesting.

Fuzz the program

Run the program with r

Note the breakpoint

Query the offset

EIP offset is 112

Note the memory addresses on October and find memory address of /bin/sh

It is easier if you break it down in notepad

Bruteforce the memory addresses to bypass NX

After a few minutes you have a root shell so collect your flag

git clone

https://github.com/longld/peda.git