HackTheBox Writeup — Blunder
This is my write-up for the HackTheBox machine ‘Blunder’, which runs a Linux OS and is one of the ‘Easy’ rated machines.
The initial foothold on this box involves gaining access to BluditCMS via a brute-force password attack, after which we obtain a reverse shell by exploiting a Directory Traversal Image File Upload Vulnerability. Inspecting the BluditCMS files on the box we find a password belonging to ‘Hugo’, which lets us get user.txt. To get root, we exploit the recent vulnerability found in all versions of Sudo < 1.8.28.
2. Enumeration and Initial Foothold (www-data)
As always we start with an nmap scan to see what services are running and ports are open.
Just the one port open, a web application. Lets check it out.
Nothing too interesting on the home page, let’s get throw wfuzz at it and see what it finds.
Wfuzz found a number of potential avenues. After inspecting them the only one with some value was /admin/, which finds the BluditCMS login page.
I also inspected the page source which told me this was version 3.9.2. Researching online about BluditCMS 3.9.2 vulnerabilities, I found a brute-force protection bypass vulnerability that would allow me to brute-force the password providing we had a valid username.
Being fairly certain this was the avenue to follow, I carried out more enumeration. After multiple scans one finally returned good, fuzzing for ‘.txt’ files specifically identified a ‘todo.txt’ hidden on the web server.
Fergus? Looks like we have our username! Now I can re-visit the brute-force bypass vulnerability, for which I found a PoC script by rastating.
What I liked about this box was the script needed considerable editing, especially in the realm of the password list used, as the original script just used some fake data and eventually the real password for a PoC. To generate a password list, I used ‘Cewl’ on the home page of the blog page.
Then made the applicable changes to the script.
The brute-force actually took a while, so for the sake of a concise PoC screenshot I cut it down after finding the correct password.
Logging into BluditCMS with these credentials didn’t reveal any immediate reverse shell capabilities, so I further researched BluditCMS vulnerabilities and found a Directory Traversal Image File Upload Vulnerability (CVE-2019–16113) which also has a Metasploit module available.
Running the exploit with the above parameters gets us a meterpreter session! However, this is very limited, so I decided to throw a more stable netcat reverse shell back to my machine, which can be found on PenTestMonkey.
3. User (Hugo)
There were two users on the box, Shaun and Hugo. After obtaining a shell as www-data I always enumerate in the /www/ directory in case there are any databases or configuration files that may contain credentials.
Sure enough this was the case here. The box actually contained another (updated) version of BluditCMS which seemingly hadn’t been rolled out yet, but after inspecting some of the .php files we find Hugo’s hashed password!
I used crackstation.net to crack the password, which was successful. This left us with the following credentials which can be used to move laterally and login as Hugo:
Username: Hugo | Password: Password120
Running the standard Linux enumeration techniques quickly found the escalation path to root, identifying Hugo’s sudo permissions on /bin/bash. If you’re after a great blog post that explains the techniques i’m referring to, I recommend this blog post by Sophia of SecQueens.
The sudo permissions above essentially means Hugo can run /bin/bash as any user except the root user, which sounds fair, right? Unfortunately not, CVE-2019–14287 describes how sudo’s function to convert a given ‘userID’ into its corresponding ‘Username’ incorrectly parses certain values, such ‘-1’ or its unsigned equivalent ‘4294967295'.
This vulnerability is present in all sudo versions < 1.8.28, and is only present in non-default configurations of sudo.
We can abuse this to run /bin/bash as root and escalate to a root shell.
And finally, the root flag!
Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)