# Blunder

## Gaining Access

Nmap scan:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-e639723d9e4c78458ca5e84130a6f6d470ed62a3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Not too sure why FTP was reported. Anyways, we can head to the webpage to enumerate.

### Webpage

Page was just full of placeholder text that didn't mean much.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-2c08b447d0e47bacc50044a26cb69c928add3078%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

I ran a directory brute force search to find an `/admin` panel.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d4733a2a905e6136ec28304638ec45a24fbbf9e1%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The `/admin` panel requires credentials to access. Default weak credentials do not work here.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-ae40884b905f80bcdd2e8983203fdee817ae6012%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

We also found some other text files that were also of interest.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-5d83e41734fa8bd9c52ac991df86641ee51e522f%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The `todo.txt` file contained this:

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-2c770f109a1493b5b427ea613d7ca0b54b8424da%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The `install.php` file also contained some other hidden information about the CMS on the administrator panel.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-4ec2f752c0acf32688ce50f4e550c66852d68955%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

So `fergus` is the administrator of the website, and Bludit is installed on it. Fergus needs to upload some type of image onto the website. We can check the page source for the version of Bludit that is running.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-dbba197c3fa33ffd8dc30a055178e65e704c474e%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Bludit CMS 3.9.2 is vulnerable to an authenticated RCE exploit. We can use the exploit from this repository on the box

{% embed url="<https://github.com/0xkasra/CVE-2019-16113>" %}

Now, we need to find some credentials to log in as the administrator.

### Brute Force Login

Initially, I brute forced the login page for the admin panel, but it didn't work out. I tried using `cewl` to create a custom wordlist using the website. Afterwards, using a Auth bruteforce Bypass exploit for Bludit, we can brute force the login and find the correct password.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-5d06a433918d4f94bfb5b9702f572daab3b65384%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-55dc094a88e426fd0f16b1d914c6e2530f98f2b7%2Fimage.png?alt=media" alt=""><figcaption><p><br></p></figcaption></figure>

We would eventually find the right credentials.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-47c06c5d20064cfd961b1e6ff70d6192b9d9a8be%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then, we can use the exploit we found earlier to gain a reverse shell.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-5c6388597133c47e83f1e3c45b6c088b290c83b0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-d7386be1be60aa981a22ff3d95ad1b1a6dd1c8a6%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### Hugo Credentials

First thing I look for are databases or configuration files within this Bludit instance. There were other Bludit related files that were of different versions, and each had their own `/bl-content/databases` folders with hashes and other credentials within it.

Within the Bludit-3.10.0a directory, the config files contained credentials for a `hugo` user.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-70b1291be0f3fd64d5aecdeb206943ec72b10666%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

This hash can be cracked.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-0ca47b4eb8c8acd4c0d685300a13f04845e74aa1%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

Then we can `su` to Hugo.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-3290a74ead734fc2c9bbb33db1e2bcb331b36c89%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

### Sudo Exploit

When we check `sudo` privileges, we can see that this one is a bit different.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-483902a794a8229be95c9681a7871ddb8a41e3f0%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>

The `!root` bit means that we cannot run `/bin/bash` as root, but we can run it as any other user. Googling for `sudo !root` bypasses led me to this exploit.

{% embed url="<https://www.exploit-db.com/exploits/47502>" %}

We can run it and gain a root shell.

<figure><img src="https://1617468840-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fqpzdj1tPRpELJdvxuVYh%2Fuploads%2Fgit-blob-411d54aa48eefbcba831909f6e8ab83511d8d0b3%2Fimage.png?alt=media" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://rouvin.gitbook.io/ibreakstuff/writeups/hackthebox/easy/blunder.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.