Hackthebox Walkthrough — October

Being taking the PWK courses and preparing for the OSCP exam recently. I got inspired a lot from many Hackthebox machines besides the pwk labs. So I decided to start writing some hackthebox retired machines walkthroughs (inspired from hackingarticles, infosec, ippsec’s youtube videos and etc, thanks for all of these amazing materials of Penetration Testing!)

Target: 10.10.10.16

Local IP: 10.10.14.13

Nmap Enumeration :

Since port 80 is open, let’s browse the web page

It’s a OctoberCMS page

Run dirbuster for directory fuzzing

we found a /backend entry for admin panel log in

Try the default OctoberCMS credentials : admin/admin

And we are successfully logged in into the admin Panel

Initial foothold

Google the October CMS exploit , we found this seems interesting

let’s upload a php5 extension php-reverse-shell on the media directory

According to the vulnerability description, the php5 extension will bypass any filter and execute our reverse shell (from pentest monkey)

set up our netcat listener , click the public url to execute the php reverse shell. We got our connection back

spawn a tty shell to make it more stable

cd /home/harry , grab our user.txt flag

Privilege Escalation

Run LinEnum.sh on the target machine

Transfer the ovrflw file to our local machine with netcat