bludit

Checking for web directory after performing basic enumeration

www-data@blunder:/var/www$ ll
total 20K
4.0K drwxrwxr-x  8 www-data www-data 4.0K Sep  8  2021 bludit-3.9.2
4.0K drwxr-xr-x  2 root     root     4.0K Sep  8  2021 html
4.0K drwxr-xr-x  8 www-data www-data 4.0K May 19  2020 bludit-3.10.0a
4.0K drwxr-xr-x  5 root     root     4.0K Nov 28  2019 .
4.0K drwxr-xr-x 15 root     root     4.0K Nov 27  2019 ..

The webroot directory contains 2 instances of Bludit While the bludit-3.9.2 directory appears to be serving the LIVE instance, the bludit-3.10.0a directory contains a newer instance, which is supposedly meant to be replacing the LIVE one according to the note.txt file found in the web server

bluedit-3.9.2

www-data@blunder:/var/www$ cd bludit-3.9.2 ; ll
total 76K
4.0K drwxrwxr-x  8 www-data www-data 4.0K Sep  8  2021 .
 20K -rwxrwxr-x  1 www-data www-data  20K Sep  8  2021 install.php
4.0K -rw-r--r--  1 root     root      118 Apr 28  2020 todo.txt
4.0K drwxr-xr-x  5 root     root     4.0K Nov 28  2019 ..
4.0K -rwxrwxr-x  1 www-data www-data  438 Nov 27  2019 .htaccess
4.0K drwxrwxr-x 10 www-data www-data 4.0K Nov 27  2019 bl-kernel
4.0K -rwxrwxr-x  1 www-data www-data  901 Nov 27  2019 index.php
4.0K drwxr-xr-x  7 www-data www-data 4.0K Nov 27  2019 bl-content
4.0K drwxrwxr-x  2 www-data www-data 4.0K Jun 21  2019 .github
4.0K -rwxrwxr-x  1 www-data www-data  563 Jun 21  2019 .gitignore
4.0K -rwxrwxr-x  1 www-data www-data 1.1K Jun 21  2019 LICENSE
4.0K -rwxrwxr-x  1 www-data www-data 2.9K Jun 21  2019 README.md
4.0K drwxrwxr-x  2 www-data www-data 4.0K Jun 21  2019 bl-languages
4.0K drwxrwxr-x 26 www-data www-data 4.0K Jun 21  2019 bl-plugins
4.0K drwxrwxr-x  5 www-data www-data 4.0K Jun 21  2019 bl-themes
 
 
www-data@blunder:/var/www/bludit-3.9.2$ ll bl-content/databases
total 124K
4.0K drwxr-xr-x 3 www-data www-data 4.0K Sep 18 08:20 .
4.0K -rw-r--r-- 1 www-data www-data 1.3K Sep 18 08:20 site.php
 88K -rw-r--r-- 1 www-data www-data  85K Sep 18 07:05 security.php
4.0K -rw-r--r-- 1 www-data www-data 3.4K Apr 28  2020 pages.php
4.0K -rw-r--r-- 1 www-data www-data  438 Apr 28  2020 categories.php
4.0K -rw-r--r-- 1 www-data www-data 2.3K Apr 28  2020 syslog.php
4.0K -rw-r--r-- 1 www-data www-data   52 Apr 28  2020 tags.php
4.0K -rw-r--r-- 1 www-data www-data 1.3K Apr 28  2020 users.php
4.0K drwxr-xr-x 6 www-data www-data 4.0K Nov 27  2019 plugins
4.0K drwxr-xr-x 7 www-data www-data 4.0K Nov 27  2019 ..

Bludit does not use database by default. Hence “Flat-File CMS” Data is stored to files

users.php

www-data@blunder:/var/www/bludit-3.9.2/bl-content/databases$ cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstname": "Administrator",
        "lastname": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenremember": "",
        "tokenauth": "b380cb62057e9da47afce66b4615107d",
        "tokenauthttl": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstname": "",
        "lastname": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenremember": "",
        "tokenauth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenauthttl": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }

I will grab the admin hash; bfcc887f62e36ea019e3295aafb8a3885966e265

┌──(kali㉿kali)-[~/archive/htb/labs/blunder]
└─$ hashcat -a 0 -m 100 admin.hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
 
dictionary cache hit:
* filename..: /usr/share/wordlists/rockyou.txt
* passwords.: 14344385
* bytes.....: 139921507
* keyspace..: 14344385
 
Approaching final keyspace - workload adjusted.           
 
session..........: hashcat                                
status...........: Exhausted
hash.mode........: 100 (SHA1)
hash.target......: bfcc887f62e36ea019e3295aafb8a3885966e265
time.started.....: Mon Sep 18 15:12:26 2023 (3 secs)
time.estimated...: Mon Sep 18 15:12:29 2023 (0 secs)
kernel.feature...: Pure Kernel
guess.base.......: File (/usr/share/wordlists/rockyou.txt)
guess.queue......: 1/1 (100.00%)
speed.#1.........:  4709.2 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
progress.........: 14344385/14344385 (100.00%)
rejected.........: 0/14344385 (0.00%)
restore.point....: 14344385/14344385 (100.00%)
restore.sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
candidate.engine.: Device Generator
candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
hardware.mon.#1..: Util: 29%
 
started: Mon Sep 18 15:12:12 2023
stopped: Mon Sep 18 15:12:30 2023

Unable to crack the password hash

bludit-3.10.0a

www-data@blunder:/var/www$ cd bludit-3.10.0a ; ll
total 72K
4.0K drwxr-xr-x  8 www-data www-data 4.0K May 19  2020 .
4.0K -rw-r--r--  1 www-data www-data  900 May 19  2020 index.php
4.0K drwxr-xr-x  7 www-data www-data 4.0K May 19  2020 bl-content
4.0K drwxr-xr-x  5 root     root     4.0K Nov 28  2019 ..
4.0K drwxr-xr-x  2 www-data www-data 4.0K Oct 19  2019 .github
4.0K -rw-r--r--  1 www-data www-data  582 Oct 19  2019 .gitignore
4.0K -rw-r--r--  1 www-data www-data  395 Oct 19  2019 .htaccess
4.0K -rw-r--r--  1 www-data www-data 1.1K Oct 19  2019 LICENSE
4.0K -rw-r--r--  1 www-data www-data 2.9K Oct 19  2019 README.md
4.0K drwxr-xr-x 10 www-data www-data 4.0K Oct 19  2019 bl-kernel
4.0K drwxr-xr-x  2 www-data www-data 4.0K Oct 19  2019 bl-languages
4.0K drwxr-xr-x 29 www-data www-data 4.0K Oct 19  2019 bl-plugins
4.0K drwxr-xr-x  5 www-data www-data 4.0K Oct 19  2019 bl-themes
 20K -rw-r--r--  1 www-data www-data  20K Oct 19  2019 install.php
 
www-data@blunder:/var/www/bludit-3.10.0a$ ll bl-content
total 28K
4.0K drwxr-xr-x 8 www-data www-data 4.0K May 19  2020 ..
4.0K drwxr-xr-x 3 www-data www-data 4.0K May 19  2020 databases
4.0K drwxr-xr-x 7 www-data www-data 4.0K May 19  2020 .
4.0K drwxr-xr-x 4 www-data www-data 4.0K May 19  2020 workspaces
4.0K drwxr-xr-x 3 www-data www-data 4.0K May 19  2020 tmp
4.0K drwxr-xr-x 5 www-data www-data 4.0K May 19  2020 uploads
4.0K drwxr-xr-x 8 www-data www-data 4.0K May 19  2020 pages

While the new instance appears to be rather identical to the LIVE one, I will go through all one by one

users.php

www-data@blunder:/var/www/bludit-3.10.0a$ cat bl-content/databases/users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstname": "Hugo",
        "lastname": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenremember": "",
        "tokenauth": "b380cb62057e9da47afce66b4615107d",
        "tokenauthttl": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}

The bl-content/databases/users.php file of the newer instance contains the credential of the hugo user

Password Cracking

While hashcat failed to crack the password hash for the hugo user, crackstation.net cracked it The cracked password is Password120

While this password is for the web application, I will test it out for password reuse

InfoSec LAB

Explorer

Blunder_bludit

bludit

bluedit-3.9.2

users.php

bludit-3.10.0a

users.php

Password Cracking

Interactive Graph View

Table of Contents

Backlinks