It’s October Vulnhub Walkthrough

Here’s the new challenge of “It’s October Vulnhub Walkthrough”.  It’s October is an easy box for the beginner and wannabe hackers. It is a box learning about October CMS and enumeration. The box was designed by Akansha Verma. This machine got something unique as it teaches you how you can exploit a cms even if you can’t find any known vulnerability.

It's October Vulnhub Walkthrough

Pentester Methodology

Network Scanning
  • nmap
  • netdiscover
Enumeration
  • nikto
  • gobuster
  • placing of reverse shell
Privilege Escalation
  • abusing SETUID

Network Discovery

In order to get the IP of the machine I used, netdiscover. As I allotted host-only adapter to my machine.

And got my IP : 192.168.2.12. Now lets begin with nmap scan.

I saw that ports 80 and 8080 are open, so without any delay, I visited the page.

It's October Vulnhub Walkthrough

It’s just a normal website. I don’t get anything useful in page source. But still moving forward.

This is also a simple web page. But it consists a clue in the page source to visit 192.168.2.12/mynote.txt

We got credentials for cms admin:adminadmin2. I used nikto for further enumeration but nothing much.

So I tried directory brute-forcing. I used gobuster and found a directory /backend showing the code 302.

Eureka. We got a CMS login page of OCTOBER CMS. I the old credential for the login.

 

And we are in.. The first checkpoint arrived. Now we need to upload a reverse shell on the CMS in order to get a shell. So for that, we open cms tab on the Dashboard> click on +ADD>enter the details of the page along with the shell>Save it.

It's October Vulnhub Walkthrough

 

Now start the listener on the local machine and call the web page on the web.

Privilege Escalation:

Now for the privilege, I got nothing but a local user named armour. Then we checked for suid:

 

So we got SUID bit configured on /bin/python3. We can approach for the root using this.

BOOM! we have the flag and euid of root!!. But we need to get the proper shell so I transfer the authorized_keys to the machine and called for ssh connection.

Related Posts

Comments (1)

Thanks for the write up.
Just a little mistake
you use the 1234 port into your script Onstart and after the 1505 got the netcat.

Good job done !

Leave a comment

WhatsApp us