577, Gold Plaza, Punjab Jewellers, M.G. Road, Opp. Treasure Island Mall

It’s October Vulnhub Walkthrough

Here’s the new challenge of “It’s October Vulnhub Walkthrough”.  It’s October is an easy box for the beginner and wannabe hackers. It is a box learning about October CMS and enumeration. The box was designed by Akansha Verma. This machine got something unique as it teaches you how you can exploit a cms even if you can’t find any known vulnerability.

It's October Vulnhub Walkthrough

Pentester Methodology

Network Scanning
  • nmap
  • netdiscover
Enumeration
  • nikto
  • gobuster
  • placing of reverse shell
Privilege Escalation
  • abusing SETUID

Network Discovery

In order to get the IP of the machine I used, netdiscover. As I allotted host-only adapter to my machine.

And got my IP : 192.168.2.12. Now lets begin with nmap scan.

I saw that ports 80 and 8080 are open, so without any delay, I visited the page.

It's October Vulnhub Walkthrough

It’s just a normal website. I don’t get anything useful in page source. But still moving forward.

This is also a simple web page. But it consists a clue in the page source to visit 192.168.2.12/mynote.txt

We got credentials for cms admin:adminadmin2. I used nikto for further enumeration but nothing much.

So I tried directory brute-forcing. I used gobuster and found a directory /backend showing the code 302.

Eureka. We got a CMS login page of OCTOBER CMS. I the old credential for the login.

 

And we are in.. The first checkpoint arrived. Now we need to upload a reverse shell on the CMS in order to get a shell. So for that, we open cms tab on the Dashboard> click on +ADD>enter the details of the page along with the shell>Save it.

It's October Vulnhub Walkthrough

 

Now start the listener on the local machine and call the web page on the web.

Privilege Escalation:

Now for the privilege, I got nothing but a local user named armour. Then we checked for suid:

 

So we got SUID bit configured on /bin/python3. We can approach for the root using this.

BOOM! we have the flag and euid of root!!. But we need to get the proper shell so I transfer the authorized_keys to the machine and called for ssh connection.

Related Posts

Comments (1)

Thanks for the write up.
Just a little mistake
you use the 1234 port into your script Onstart and after the 1505 got the netcat.

Good job done !

Leave a comment

WhatsApp us