# October

## October - 10.10.10.16

### Target Enumeration:

OS: Linux

IP: 10.10.10.16

User: 29161ca87aa3d34929dc46efc40c89c0

Root: 6bcb9cff749c9318d2a6e71bbcf30318

### Ports / Services / Software Versions Running

22/tcp open  ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)\
80/tcp open  http Apache httpd 2.4.7 ((Ubuntu))\
Vulnerability Exploited:

Weak password on CMS

### Privilege Escalation:

Buffer overflow on /usr/local/bin/ovrflw

### Exploiting the host:

Nmap

![](https://lh6.googleusercontent.com/BpEdO8SaukSngRa6RegHO4Y98DIuZue3mTsqsQ_8W8GuEwz9hNg6Q95eeOFhP_-iNyw-RYLFELgcG62N3Kl59qj4xIoGIoLDX3FKtilEfQZcF6ho6UPXNbaH9soDtX_L6Otkp-jI)

Dirb

<div align="left"><img src="https://lh6.googleusercontent.com/gIr5Al5YMD8KeQBV_oVsNC2IcQ2tQV_blfTnKqn6cxoGDmpN-QgLg30OrD4g_MF3Mu1U4TERP6r59tcjiZ6tVSzRswlur6iAauygpHdnqVoMQmtNFePhZmolwWu7s8OQBhVRlZoD" alt=""></div>

Backend gives us a login page

![](https://lh6.googleusercontent.com/IEA_a9P9MzgM_O6FE-cq7r6BIopwiAmHSI3npLB3LDkf6Wfn79ZGPv_LzbmaOhD14l-pcDuA7IiwBtgVhm1cRGzxo9W_34_OdHHEMrPQia8Cp9AhnLz6PmMKFKUWiPEEmGmGgA5g)

Username enumeration gives us a user of admin so start burp and bruteforce the password with intruder.

![](https://lh6.googleusercontent.com/OcftYquwZyBQhq0KiFso7pRNKX2hS2_zaN9Bc8l7_FsIDpMU6OKY3J3w1TIZmlNOAkBK8nqosjoUk3_ELEvFdFgmE5IPwyb8fEHRqoFZA4GwM6V47vSu23qw1PZZFP9uZjP4BlcD)

Does not appear to be vulnerable to brute force so revert the box and try a stealthy approach.

<div align="left"><img src="https://lh6.googleusercontent.com/FYKYwKY8rCYLgQKMJOjK281rWf5P9hY1FWNCbBiuXyf6AF8kZO50s8UYHj1fnqW-uOwbhxZ6Zn2AJZWV1H5Kdv2Cjrgdq1itvwbrcCI6XLRIwBh1aJI3U6JPZzugaYosFYet4sYm" alt=""></div>

Try common passwords such as password, october, admin etc.

Admin:admin gives you access to the CMS

![](https://lh4.googleusercontent.com/59TkL6-E1JwcYjUdlpR30Cn3QpmhduXV5M2jqfrT9UdmjH8rvPvGOxsYp1IGjKjaiEPS9lVFzR2cXf9-i0exFnErIYIWuIqAEoMwEbSLOmw-TUKxa6KrbET0eK5gx_2ASNPJ0LTs)

Upload a php shell which will not work so rename it to shell.php5

<div align="left"><img src="https://lh6.googleusercontent.com/4o4UCnYQWoYuV3ilU0XBT2WLm_dGu0xayE6T4e7Tbc8O-w1lDFvjQ6I2ZQ6kq-IqlE74JLtDL_PKUGWGdV94TcQ7SAGXrFgp8O69rcv4a_UckYCFDICl__XZuUFbZa9hAL10LE_8" alt=""></div>

Click on the public link and you will get a reverse shell

<div align="left"><img src="https://lh3.googleusercontent.com/eSk2JlVkDdMKBnYpCnyyMZrUF1o0af6IkRq22hEcS7tlZAlfRe_b_ZNNybNog1touUIpApzjfQpdsx5D82IrKTO9lDgZLltqlIuxQACUP-uIMW0EeQhngEpmQWxPHfkenyYRM4-I" alt=""></div>

Checking suid files gives you:

![](https://lh5.googleusercontent.com/_KZB1mR7aJAxR9YvbH2pAM7RV0yvZiq0jPuoLolbR5bPQJ_GX24QWCuCgjfu5nKwsWti9G7kYDctv1ZLCAhl3OEM7veuquPdfdWAqnAyINBJhI80lNlFcvoFJC8maSuA6YG-phK2)

The name suggests it is vulnerable to a buffer overflow. The machine has GDB installed but not peda so download the file locally to work on the buffer overflow.

Copy the file to /var/www/html/cms/storage/app/media

![](https://lh4.googleusercontent.com/Xj4MPMmLuxIVrKnV1N0G7zAjob0ROyTp8-Ij0ET3EbaJzfwJ0bXSoIHO7IQniHgfN4zsAlBYq-ve8Bz6waznwElM-GA8oA4g27RP9myzAYH5RI8eRjqgwPMUURlI-_RE__xX7p8s)

And download with wget locally

<div align="left"><img src="https://lh6.googleusercontent.com/Cxod9Trjfw3DOAWWHBzo4FaPC027rqYHtLzp2ZLj7_ppXRW2SsuP5XywX151JhtJR8pwX0SkfCWecDVPfbLyA_W3cklGiW8jptxgR452vD0zpjxwWIDRiJusfpqz5mjOMu6i188p" alt=""></div>

We will need peda to work on the buffer overflow:

git clone <https://github.com/longld/peda.git>

echo "source \~/peda/peda.py" >> \~/.gdbinit

Check the security of the file

<div align="left"><img src="https://lh3.googleusercontent.com/HU_Tv3MrOMn4kZjbAGPTkkuQwqBCdWeqYkJkEWMFRIPyNyZR35SwdXSbjalk35XHLvWgzc45y2BAPlyDPya_CovqxWD7sTZOOD5HlXrBuIUurgbtJNN421ZeeQy9sh4ZIMVvGZQn" alt=""></div>

Strcpy is interesting.

Fuzz the program

![](https://lh4.googleusercontent.com/iuNOr7Qy27PJ5ZUCPmbdC4yqa7r9aDRDrRxMvVx_2X5hXr3wkhD9K6agklSgbwkR46OxGXnyZyVy0YGJ657nyT7pGEE9YKr1cx7V4F0Wlqrx7salhSLtieSdVgaS1GQ87vwArq8H)

Run the program with r

![](https://lh6.googleusercontent.com/LaRvxgLkUTRcLOHB7fKEM_FBso6wawr_mk1wWw747EMUmITkYyjqBkXC4Znb6qn5TsJgwNH_gkB84TPxwV7643EoHKFLGS-MfWdf787px0-A1tEkNVPTvTvg4eSe55L66_Wfn0KE)

Note the breakpoint

Query the offset

![](https://lh5.googleusercontent.com/qq74-2znBSIL--dQy29y6M61B4YRUZVXgJE8SYFNedsSRReLvSRWaLGXdQC3N3yUnlX6gXiwIwMKnkxu6TZO2tWF2zKbtRTPyIYwgu92J5jt--zrl-0rYSTjnpGmP9V_MtEtIzCw)

EIP offset is 112

Note the memory addresses on October and find memory address of /bin/sh

![](https://lh6.googleusercontent.com/mOKFXO8gGG78Wsn4s2NlfhVXmcEJnBlc1FyDAEQLP6TAzlai2K6Zqz5MpehNZvCP2tot583kBhL7NVLcpcWA_ZciTzEQ8D1_Ngz6-BWDXh8MW934Gn1GLt-T5JFKm5x4Gg8OBIC3)

It is easier if you break it down in notepad

![](https://lh4.googleusercontent.com/gI5y4Yr9wEhA8yNl_f3Dak0KHVVsQvbF3EWpkjhyNkaHu9J1UyZtz0WxW0F5LsT_BjYWsBHWAqTy-Yq5AbnUCHB7v9UgyXrpn9j4UmBhJPJzLpv78KHWrC0BnysQf24sma4Ul8XC)

Bruteforce the memory addresses to bypass NX

![](https://lh6.googleusercontent.com/KUX6IirxuCUZ45s7wMb9bmfSuoeVXbcTZEq6qvQiMfCY60jxzBgdZKDYLULDuI7hnkYRojvYj2Zco4LHZ0Msvf543CkyoyyNRZWweh6EQmpNQ9VVu5Gxp_ByXYwe46-VWOzoQ-dE)

After a few minutes you have a root shell so collect your flag

![](https://lh4.googleusercontent.com/9sft7IExkIz0UHsdD739Ev3RfoTYlYteZDzTXBE3XCIfITzSCu-SpHAqb3uAU4XM0Q-bu9rD4NBUSa4YOIGl6sBnmJulW4DbiyegByE7xJQKCdvv6WNLo1alggON5TfZMb-9Js0l)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/october.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.