HackTheBox Writeup — Blunder

This is my write-up for the HackTheBox machine ‘Blunder’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. HackTheBox — Blunder Info Card.

1. Summary

The initial foothold on this box involves gaining access to BluditCMS via a brute-force password attack, after which we obtain a reverse shell by exploiting a Directory Traversal Image File Upload Vulnerability. Inspecting the BluditCMS files on the box we find a password belonging to ‘Hugo’, which lets us get user.txt. To get root, we exploit the recent vulnerability found in all versions of Sudo < 1.8.28.

2. Enumeration and Initial Foothold (www-data)

As always we start with an nmap scan to see what services are running and ports are open.

2. Nmap Scan — Blunder.

Just the one port open, a web application. Lets check it out.

3. Blunder Web Application — Blog.

Nothing too interesting on the home page, let’s get throw wfuzz at it and see what it finds.

4. Wfuzz Directory Bruteforce

Wfuzz found a number of potential avenues. After inspecting them the only one with some value was /admin/, which finds the BluditCMS login page.

5. BluditCMS Login

I also inspected the page source which told me this was version 3.9.2. Researching online about BluditCMS 3.9.2 vulnerabilities, I found a brute-force protection bypass vulnerability that would allow me to brute-force the password providing we had a valid username.

Being fairly certain this was the avenue to follow, I carried out more enumeration. After multiple scans one finally returned good, fuzzing for ‘.txt’ files specifically identified a ‘todo.txt’ hidden on the web server.

6. Wfuzz ‘.txt’ File Bruteforce.

7. Blunder — Hidden Todo.txt

Fergus? Looks like we have our username! Now I can re-visit the brute-force bypass vulnerability, for which I found a PoC script by rastating.

What I liked about this box was the script needed considerable editing, especially in the realm of the password list used, as the original script just used some fake data and eventually the real password for a PoC. To generate a password list, I used ‘Cewl’ on the home page of the blog page.

8. Password List — Generated with Cewl.

Then made the applicable changes to the script.

9. Altered BluditCMS Brute-force Bypass Script

The brute-force actually took a while, so for the sake of a concise PoC screenshot I cut it down after finding the correct password.

10. Successful Brute-force — Fergus’ BluditCMS Password

Logging into BluditCMS with these credentials didn’t reveal any immediate reverse shell capabilities, so I further researched BluditCMS vulnerabilities and found a Directory Traversal Image File Upload Vulnerability (CVE-2019–16113) which also has a Metasploit module available.

11. Metasploit — Required Bludit Exploit Parameters

Running the exploit with the above parameters gets us a meterpreter session! However, this is very limited, so I decided to throw a more stable netcat reverse shell back to my machine, which can be found on PenTestMonkey.

12. Increasing Shell Stability.

3. User (Hugo)

There were two users on the box, Shaun and Hugo. After obtaining a shell as www-data I always enumerate in the /www/ directory in case there are any databases or configuration files that may contain credentials.

Sure enough this was the case here. The box actually contained another (updated) version of BluditCMS which seemingly hadn’t been rolled out yet, but after inspecting some of the .php files we find Hugo’s hashed password!

13. Finding Hugo’s Password

I used crackstation.net to crack the password, which was successful. This left us with the following credentials which can be used to move laterally and login as Hugo:

Username: Hugo | Password: Password120

14. User Shell and User.txt

4. Root

Running the standard Linux enumeration techniques quickly found the escalation path to root, identifying Hugo’s sudo permissions on /bin/bash. If you’re after a great blog post that explains the techniques i’m referring to, I recommend this blog post by Sophia of SecQueens.

15. Sudo Permissions for Hugo.

The sudo permissions above essentially means Hugo can run /bin/bash as any user except the root user, which sounds fair, right? Unfortunately not, CVE-2019–14287 describes how sudo’s function to convert a given ‘userID’ into its corresponding ‘Username’ incorrectly parses certain values, such ‘-1’ or its unsigned equivalent ‘4294967295'.

This vulnerability is present in all sudo versions < 1.8.28, and is only present in non-default configurations of sudo.

We can abuse this to run /bin/bash as root and escalate to a root shell.

16. Root Shell

And finally, the root flag!

17. Root.txt

Conclusion

Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)

Hack The Box :: Penetration Testing Labs