Again, we start with AutoRecon.py 10.10.10.56
We've got HTTP and FTP. Let's try Gobuster and see what happens. I'm going to add txt, pdf, and php extensions using:
gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
We see an admin and a todo.txt file that look interesting. Admin takes us to a Bludit Admin Login page and todo.txt gives us a possible username. NOTE: Traditional Brute-forcing this will not work. 10 attempts and your IP gets blocked for a while. Consider it fair warning. However, that doesn't mean there's not another method of finding the password.
So, we know that it is Bludit 3.9.2 and that fergus needs to add some images (username anyone?). A little bit of research later and we find out we can use https://www.cvedetails.com/cve/CVE-2019-17240/ to bypass the lockout. First step, create the wordlist.
cewl 10.10.10.191 > wordlist.txt
Second step, write/modify the exploit. https://rastating.github.io/bludit-brute-force-mitigation-bypass/ and https://github.com/bludit/bludit/pull/1090 are referenced in that CVE Details site and have the code we need to modify. Below is my modified code.
Tada! Bludit Admin Creds. Now, I know that I am usually the first one to scream from the rooftops "Say NO to Metasploit! It makes hackers lazy!" Well, today I am glad it does. #1 I tried the non-MSF way for a couple of hours and for some reason the system just would not perform the operation correctly. #2 I am actually feeling VERY lazy and tired today. So, MSF it is!
All that's left is to exploit. When we exploit it and start looking around, we actually find out that Bludit 3.10.0a is also running! Checking the users.php page in the 3.10.0a instance yeilds another username and a password hash.
Sp, we've got Hugo and faca404fd5c0a31cf1897b823c695c85cffeb98d. Running that through https://sha1.gromweb.com/?hash=faca404fd5c0a31cf1897b823c695c85cffeb98d and we determine the password for hugo is Password120. Somebody needs to talk to Hugo about Password Strength policies and requirements......
Anywho, let's su as hugo and see what's next. So, it looks like Hugo can run everything on this box, except /bin/bash, which is odd in and of itself. Let's check the sudo version.
OK! There's a sudo CVE https://blog.aquasec.com/cve-2019-14287-sudo-linux-vulnerability on version 1.8.25p1. So, to bypass that "no /bin/bash" restriction just by running it as -u#-1. So, the actual command is:
sudo -u#-1 /bin/bash
Now, we just grab the proof (whoami, ifconfif/ipconfig, and the user and root flags. You'll need that proof for OSCP Lab and Exam machines, so get used to getting them all at once now) and sound our victory cheer.