Blunder is a retired vulnerable Linux machine available from HackTheBox. The machine maker is egotisticalSW, thank you. It has an Easy difficulty with a rating of 4.1 out of 10.
Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. No automated tools are needed. The goal is to obtain root shell together with both user & root flags.
Exploitation Summary (tap to reveal)
Initial Exploitation
- Vulnerability: Directory traversal with file upload
- Explanation: Bludit CMS version 3.9.2 is vulnerable to directory traversal with PHP file upload. PHP file can then be executed to obtain a reverse shell.
Privilege Escalation – from www-data
- Vulnerability: Credentials exposure in files
- Explanation: User names and passwords hashes for Bludit CMS are stored in a file called users.php
Privilege Escalation – from hugo
- Vulnerability: sudo bypass
- Explanation: There is a sudo bypass exploit available for version < 2.8.28.
Enumeration
nmap -p- -A -T4 10.10.10.191
TCP 80: Apache httpd 2.4.41 (ubuntu)
Initial Exploitation
Only port 80 is open. That’s a website. Let’s check out the home page.
Looks like it’s a CMS (Content Management System) hosting a few posts and an About page. There aren’t additional information from the other pages. When checking the source of the home page, it shows version of 3.9.2. But what CMS software is unknown yet.
Let’s do a directory scan using gobuster to see if there’s any other interesting webpage or folders:
gobuster dir -u http://10.10.10.191/ -w /usr/share/seclis ts/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307" -x "txt,html,php"
gobuster finds couple interesting URLs: /admin and /todo.txt.
There is a user named fergus that maybe useful later. Let’s continue with /admin for now
Ok, it’s using a CMS software called Bludit. I check with Google to see if there’s any default credentials. It seems like admin is the default user but there is no default password. So I did some password guessing:
Noop. No luck. And after about 10 trials, my IP address is blocked. Great.
Let’s do some more searches to see if there’s any exploits available:
Find an exploit that can perform directory traversal and upload PHP payload. However, this exploit requires authentication. So I need to find some credentials to login first.
Further googling helps me land on another exploit that can bypass brute force protection. That is, I can bypass the IP address lock out:
Sounds like a good path. If I can bypass lock out protection and brute force to find valid credentials, then the credentials can be used in the first exploit found to get an initial foothold.
I perform some more google search and find a python script that exploits the brute force protection.
Downloaded bruteforce.py and see how it works:
It’s pretty straight forward by providing the IP address, username and a wordlist. I used the script bruteforce.py to perform dictionary attack using rockyou.txt on user admin & fergus. It took quite a while and didn’t find the password.
I then use cewl to screen-scrape the website to obtain a custom wordlist.
cewl -m 4 http://10.10.10.191 | sort -u > wordlist
Perform the dictionary attack again:
python3 bruteforce.py 10.10.10.191 fergus wordlist
Excellent! Find credentials fergus:RolandDeschain.
Now let’s go back to the first exploit. Using searchsploit I am able to find the exploit script.
I make a copy of 48701.txt. It’s essentially a python script so simply rename it to 48701.py. Note, there’s a Metasploit exploit too but this guide will be using the python exploit.
Looking at the python script, there is a few things to prepare before executing the script:
- update the url, username & password in the script
- the script suggests using msfvenom to create php reverse shell but I like to use the one that’s already available in kali. So modify the php reverse shell in kali with the correct kali IP address and use port 4000
- prepare .htaccess file as described
- start netcat to listen at port 4000
Now time to execute the exploit:
python3 48701.py
Looking good. Hopefully, the payloads are uploaded to the victim machine.
- use browser to navigate to http://10.10.10.191/bl-content/tmp/temp/evil.png as described in the script.
Awesome! initial shell obtained.
Privilege Escalation – from www-data
Quick browse under /home shows that user.txt is at /home/hugo/user.txt. That probably means we want to gain access as hugo.
Keep that in mind and let’s start enumeration of the system. After some browsing around, I find a file /var/www/bludit-3.9.2/bl-content/databases/users.php containing credentials for admin & fergus.
Unfortunately, those are not for hugo and password hashes are salted. These hashes may not be the best target to try cracking them for now. Let’s continue the enumeration because I remember the system has a folder of newer version of Bludit. Maybe it has something similar:
Bingo! Credentials for hugo!
His password hash does not use salt. That’s even better. The hash contains 40 hex characters which translate to 160 bits. So most likely it’s a SHA1 hash.
I use md5decrypt.net to try decrypting the hash:
https://md5decrypt.net/en/Sha1/
Lucky we! Password decrypted and we have hugo’s credentials now:
hugo:Password120
Let’s try to login as hugo:
Success! We login as hugo! Let’s grab the flag quickly.
Privilege Escalation – from hugo
Let’s do enumeration. One classic check is sudo -l
Nice, hugo can execute bash as any other users except root.
Googling about sudo exploit reviews a security bypass exploit that leads to privilege escalation:
It works for sudo version < 1.8.28. Let’s find out sudo version:
Perfect! Let’s get root using this sudo bypass exploit:
There we go! root shell access. Let’s finish the final work: root flag
