22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) Vulnerability Exploited:
Weak password on CMS
Buffer overflow on /usr/local/bin/ovrflw
Backend gives us a login page
Username enumeration gives us a user of admin so start burp and bruteforce the password with intruder.
Does not appear to be vulnerable to brute force so revert the box and try a stealthy approach.
Try common passwords such as password, october, admin etc.
Admin:admin gives you access to the CMS
Upload a php shell which will not work so rename it to shell.php5
Click on the public link and you will get a reverse shell
Checking suid files gives you:
The name suggests it is vulnerable to a buffer overflow. The machine has GDB installed but not peda so download the file locally to work on the buffer overflow.
Copy the file to /var/www/html/cms/storage/app/media
And download with wget locally
We will need peda to work on the buffer overflow:
git clone https://github.com/longld/peda.git
echo "source ~/peda/peda.py" >> ~/.gdbinit
Check the security of the file
Strcpy is interesting.
Fuzz the program
Run the program with r
Note the breakpoint
Query the offset
EIP offset is 112
Note the memory addresses on October and find memory address of /bin/sh
It is easier if you break it down in notepad
Bruteforce the memory addresses to bypass NX
After a few minutes you have a root shell so collect your flag