Recon
The http service that is running on port 80 is the only one active.
Enumeration
port 80:
The main page has nothing special, it just displays a few facts. To learn more let us do a directory bruteforce.
gobuster dir --url http://10.10.10.191 -t 100 -w [wodlist file] -x php,txt
On examining /install.php, we find a simple message saying that the Bludit installation is already complete. The /admin directory shows us the Bludit login page which we do not have the credentials for.
But /todo.txt, give us some really interesting information.
Exploitation
This page tells us that the server is running an outdated version of Bludit, and on of the users is named ‘fergus’. This give us the username. Since all the exploits for Bludit are authenticated and we couldn't find any other sensitive files that could give us the password, that leaves us with only 1 option…., a brute force attack.
But on learning more about Bludit, we find that it is equipped with brute force prevention mechanisms, but luckily the mechanism has been explained(CVE-2019–17240, https://rastating.github.io/bludit-brute-force-mitigation-bypass/) and we can script our own brute force program or you can use the script in the link above.
Once you have the creds you can use them in the authenticated exploits(CVE-2019–16113), but I found a script that does both for you…(yay)
And you have a shell…
On enumeration, we find a sensitive file:- /var/www/bludit-3.10.0a/bl-content/databases/users.php which contains creds for the user hugo.
The password is hashed, so to get the plain text format you can use tools such as JohnTheRipper or Hashcat, but I am going to use crackstation.net, which gives the output as :- P*********0.
Then use the passowd to login as hugo…
su hugo
To escalate our privileges, I’m simply going to run a command to see what commands ‘hugo’ can execute as sudo.
sudo -l
If you are familiar with this type of exploitation, then you will realise that something is wrong with the output(or it is not what you were expecting).
The output usually would look like this…
(ALL, ALL) /bin/bashBecause I did not understand it either, I simply googled the output, which led me to this page…
After reading the exploit, we learn that ‘hugo’ can run /bin/bash as any user other than root. But you can simply bypass this by using the command like this…
sudo -u#-1 /bin/bash 
And we are root!
Hope you enjoyed this writeup.
https://www.hackthebox.eu/home/users/profile/271362
(if you enjoyed, feel free to hit the respect button, please…).
