Today we’re going to solve another CTF machine “October”. It is now retired box and can be accessible if you’re a VIP member.

Introduction

Specifications

  • Target OS: Linux
  • Services: HTTP, SSH
  • IP Address: 10.10.10.16
  • Difficulty: Medium

Weakness

  • Default CMS Credentials
  • Binary SUID BOF 

Contents

  • Getting user
  • Getting root

Reconnaissance

As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

We have an Apache running and banner says that we have an October CMS installed let’s take a look at it.

Enumerate Directories

Dirbuster revels us a directory which we can login as administrator /backend

Now that we have found our admin login page. We can do brute-force attack, SQL Injection, etc..

But before every-time let’s try searching for exploits first. In that case we’re gonna use searchsploit.

Brute Force Using Hydra

Let’s brute force our way into October CMS using hydra.

Post Request:

Hydra

Hydra never works for me. :/ I don’t know why? Maybe that’s because of due to sessions and cookies? If i’m missing something please let me know in the comment.

Hydra

Brute Force Using Burp Suite

Using burp suite i was able to brute force the login. If you also google about October CMS default credentials you can easily find on google as admin:admin

Reverse Shell

Since we have an access to admin panel we can find a way to get reverse shell. If you navigate to Media > Upload then you can try uploading payloads to get reverse shell.

If you reach the exploit which we found using searchsploit there’s a way to upload a reverse shell using .php5 extension which will help us to bypass filter.

.php5

After uploading we can access our shell here.

http://10.10.10.16/storage/app/media/shell.php5?x=ls

Now we can use netcat to spawn a reverse shell. I checked every shell but i found perl installed on server.

I used perl reverse shell and did url encode to make it work.

And got shell on terminal. 

Privilege Escalation

It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.

I manually searched for SUID files and came across one because i saw that file as uncommon file that got my eye.

How to be sure of uncommon file?

I knew it was uncommon but to still be sure cd to that directory first.

Let’s download this file to our local machine and do some experiments with it.

We’re gonna use Netcat in order to transfer file.

Let’s open this file and take a look at assembly code.

At line +67 we have a strcpy function which is vulnerable to buffer overflow.

We’ll create a random strings data in order to test buffer overflow.

In gdb we have to run this and capture the output.

Now just type r. It will run what we created and give us the breakpoint 0x41384141.

Now search for our pattern offset and we’ll have our EIP register where it is overwritten.

Now we know our offset is 112. Now let’s try to exploit it on our local machine.

Let’s run our gdb again.

Now break the program at main.

As we know the ASLR is off in this file, or we can verify it by running it again and check the system address again if the address is different then we would know that it has ASLR enabled let’s check.

As you can see when run the program 2 times and the system address is same that’s how we can verify that it has no ASLR, now let’s try to get shell from it.

First we will find a same patter address which can be used with both libc_system and /bin/sh, We need to find bin/sh address because that will point our system address to /bin/sh to get a shell, So try this