# October

## October - 10.10.10.16

### Target Enumeration:

OS: Linux

IP: 10.10.10.16

User: 29161ca87aa3d34929dc46efc40c89c0

Root: 6bcb9cff749c9318d2a6e71bbcf30318

### Ports / Services / Software Versions Running

22/tcp open  ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)\
80/tcp open  http Apache httpd 2.4.7 ((Ubuntu))\
Vulnerability Exploited:

Weak password on CMS

### Privilege Escalation:

Buffer overflow on /usr/local/bin/ovrflw

### Exploiting the host:

Nmap

![](https://lh6.googleusercontent.com/BpEdO8SaukSngRa6RegHO4Y98DIuZue3mTsqsQ_8W8GuEwz9hNg6Q95eeOFhP_-iNyw-RYLFELgcG62N3Kl59qj4xIoGIoLDX3FKtilEfQZcF6ho6UPXNbaH9soDtX_L6Otkp-jI)

Dirb

<div align="left"><img src="https://lh6.googleusercontent.com/gIr5Al5YMD8KeQBV_oVsNC2IcQ2tQV_blfTnKqn6cxoGDmpN-QgLg30OrD4g_MF3Mu1U4TERP6r59tcjiZ6tVSzRswlur6iAauygpHdnqVoMQmtNFePhZmolwWu7s8OQBhVRlZoD" alt=""></div>

Backend gives us a login page

![](https://lh6.googleusercontent.com/IEA_a9P9MzgM_O6FE-cq7r6BIopwiAmHSI3npLB3LDkf6Wfn79ZGPv_LzbmaOhD14l-pcDuA7IiwBtgVhm1cRGzxo9W_34_OdHHEMrPQia8Cp9AhnLz6PmMKFKUWiPEEmGmGgA5g)

Username enumeration gives us a user of admin so start burp and bruteforce the password with intruder.

![](https://lh6.googleusercontent.com/OcftYquwZyBQhq0KiFso7pRNKX2hS2_zaN9Bc8l7_FsIDpMU6OKY3J3w1TIZmlNOAkBK8nqosjoUk3_ELEvFdFgmE5IPwyb8fEHRqoFZA4GwM6V47vSu23qw1PZZFP9uZjP4BlcD)

Does not appear to be vulnerable to brute force so revert the box and try a stealthy approach.

<div align="left"><img src="https://lh6.googleusercontent.com/FYKYwKY8rCYLgQKMJOjK281rWf5P9hY1FWNCbBiuXyf6AF8kZO50s8UYHj1fnqW-uOwbhxZ6Zn2AJZWV1H5Kdv2Cjrgdq1itvwbrcCI6XLRIwBh1aJI3U6JPZzugaYosFYet4sYm" alt=""></div>

Try common passwords such as password, october, admin etc.

Admin:admin gives you access to the CMS

![](https://lh4.googleusercontent.com/59TkL6-E1JwcYjUdlpR30Cn3QpmhduXV5M2jqfrT9UdmjH8rvPvGOxsYp1IGjKjaiEPS9lVFzR2cXf9-i0exFnErIYIWuIqAEoMwEbSLOmw-TUKxa6KrbET0eK5gx_2ASNPJ0LTs)

Upload a php shell which will not work so rename it to shell.php5

<div align="left"><img src="https://lh6.googleusercontent.com/4o4UCnYQWoYuV3ilU0XBT2WLm_dGu0xayE6T4e7Tbc8O-w1lDFvjQ6I2ZQ6kq-IqlE74JLtDL_PKUGWGdV94TcQ7SAGXrFgp8O69rcv4a_UckYCFDICl__XZuUFbZa9hAL10LE_8" alt=""></div>

Click on the public link and you will get a reverse shell

<div align="left"><img src="https://lh3.googleusercontent.com/eSk2JlVkDdMKBnYpCnyyMZrUF1o0af6IkRq22hEcS7tlZAlfRe_b_ZNNybNog1touUIpApzjfQpdsx5D82IrKTO9lDgZLltqlIuxQACUP-uIMW0EeQhngEpmQWxPHfkenyYRM4-I" alt=""></div>

Checking suid files gives you:

![](https://lh5.googleusercontent.com/_KZB1mR7aJAxR9YvbH2pAM7RV0yvZiq0jPuoLolbR5bPQJ_GX24QWCuCgjfu5nKwsWti9G7kYDctv1ZLCAhl3OEM7veuquPdfdWAqnAyINBJhI80lNlFcvoFJC8maSuA6YG-phK2)

The name suggests it is vulnerable to a buffer overflow. The machine has GDB installed but not peda so download the file locally to work on the buffer overflow.

Copy the file to /var/www/html/cms/storage/app/media

![](https://lh4.googleusercontent.com/Xj4MPMmLuxIVrKnV1N0G7zAjob0ROyTp8-Ij0ET3EbaJzfwJ0bXSoIHO7IQniHgfN4zsAlBYq-ve8Bz6waznwElM-GA8oA4g27RP9myzAYH5RI8eRjqgwPMUURlI-_RE__xX7p8s)

And download with wget locally

<div align="left"><img src="https://lh6.googleusercontent.com/Cxod9Trjfw3DOAWWHBzo4FaPC027rqYHtLzp2ZLj7_ppXRW2SsuP5XywX151JhtJR8pwX0SkfCWecDVPfbLyA_W3cklGiW8jptxgR452vD0zpjxwWIDRiJusfpqz5mjOMu6i188p" alt=""></div>

We will need peda to work on the buffer overflow:

git clone <https://github.com/longld/peda.git>

echo "source \~/peda/peda.py" >> \~/.gdbinit

Check the security of the file

<div align="left"><img src="https://lh3.googleusercontent.com/HU_Tv3MrOMn4kZjbAGPTkkuQwqBCdWeqYkJkEWMFRIPyNyZR35SwdXSbjalk35XHLvWgzc45y2BAPlyDPya_CovqxWD7sTZOOD5HlXrBuIUurgbtJNN421ZeeQy9sh4ZIMVvGZQn" alt=""></div>

Strcpy is interesting.

Fuzz the program

![](https://lh4.googleusercontent.com/iuNOr7Qy27PJ5ZUCPmbdC4yqa7r9aDRDrRxMvVx_2X5hXr3wkhD9K6agklSgbwkR46OxGXnyZyVy0YGJ657nyT7pGEE9YKr1cx7V4F0Wlqrx7salhSLtieSdVgaS1GQ87vwArq8H)

Run the program with r

![](https://lh6.googleusercontent.com/LaRvxgLkUTRcLOHB7fKEM_FBso6wawr_mk1wWw747EMUmITkYyjqBkXC4Znb6qn5TsJgwNH_gkB84TPxwV7643EoHKFLGS-MfWdf787px0-A1tEkNVPTvTvg4eSe55L66_Wfn0KE)

Note the breakpoint

Query the offset

![](https://lh5.googleusercontent.com/qq74-2znBSIL--dQy29y6M61B4YRUZVXgJE8SYFNedsSRReLvSRWaLGXdQC3N3yUnlX6gXiwIwMKnkxu6TZO2tWF2zKbtRTPyIYwgu92J5jt--zrl-0rYSTjnpGmP9V_MtEtIzCw)

EIP offset is 112

Note the memory addresses on October and find memory address of /bin/sh

![](https://lh6.googleusercontent.com/mOKFXO8gGG78Wsn4s2NlfhVXmcEJnBlc1FyDAEQLP6TAzlai2K6Zqz5MpehNZvCP2tot583kBhL7NVLcpcWA_ZciTzEQ8D1_Ngz6-BWDXh8MW934Gn1GLt-T5JFKm5x4Gg8OBIC3)

It is easier if you break it down in notepad

![](https://lh4.googleusercontent.com/gI5y4Yr9wEhA8yNl_f3Dak0KHVVsQvbF3EWpkjhyNkaHu9J1UyZtz0WxW0F5LsT_BjYWsBHWAqTy-Yq5AbnUCHB7v9UgyXrpn9j4UmBhJPJzLpv78KHWrC0BnysQf24sma4Ul8XC)

Bruteforce the memory addresses to bypass NX

![](https://lh6.googleusercontent.com/KUX6IirxuCUZ45s7wMb9bmfSuoeVXbcTZEq6qvQiMfCY60jxzBgdZKDYLULDuI7hnkYRojvYj2Zco4LHZ0Msvf543CkyoyyNRZWweh6EQmpNQ9VVu5Gxp_ByXYwe46-VWOzoQ-dE)

After a few minutes you have a root shell so collect your flag

![](https://lh4.googleusercontent.com/9sft7IExkIz0UHsdD739Ev3RfoTYlYteZDzTXBE3XCIfITzSCu-SpHAqb3uAU4XM0Q-bu9rD4NBUSa4YOIGl6sBnmJulW4DbiyegByE7xJQKCdvv6WNLo1alggON5TfZMb-9Js0l)