Bludit CMS Version 3.9.2 Brute Force Protection Bypass
I’ve been doing some pentest on a box that was released pretty recently and it has been a real fun for me.I just finished the box this morning and i loved the foothold and decided why not write something about it without giving spoilers of course. First the box incorporates some bit of programming and that was what made me love it even more.
I really love it when you find an exploit and have to tweak it a bit to make it work not just edit the URL. So without much say lets jump in
On visiting the page you get presented with a standard webpage
The first glance of the website gave me an impression that it probably was a CMS (Content Management System). But which one exactly i didn’t know but there are numerous ways to fingerprint the exact CMS a server is running example by using whatweb a Linux pentest tool WhatWeb identifies websites. It recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. But for this demo i will use a totally different approach
First i decided to view the web source code by pressing CTRL + U and see what i’ll see. Glancing at the web source we find a favicon image.
People Really don’t always see importance of these images but today well use it to fingerprint the web application. First i used wget to download the image on my box
After downloading the favicon i decided to use google images search to search for that picture on the web
And decided to filter the results to the most interesting ones and one result stood out of the rest
We find it’s a Bludit-logo.svg Sweet
I decided to do another google search on bludit but this time i included CMS in search word and got an interesting webpage
Voila we have our CMS now we can enumerate it but before that i decided to look at documentation because through the documentation you can get and idea about the patch level of the CMS. looking at the security tab we see that the web app has a protection against some kind of bruteforce attacks
This is where after a number of failed login attempts the server denies all login request (from that particular IP address)till the block expires. But enough of that. I decided to go back to my web application and enumerate the exact version that was installed on that server
Taking a second look we see that the web application uses a parameter version in the URL that tell us the exact version the web app is running is 3.9.2
So i decided to view to google on exact CVE on that particular version of bludit and found this article that shows how the anti bruteforce mechanism can be bypassed this allowed the CMS to be under a bruteforce attack
What the CMS basically does is it adds your IP address to the X-Forwarded-For header tag to the login request that you send to the web server and using this method it keeps count of the requests that you make to the web application . If the login count comes from the same IP address and it passes 10 in a certain time span the web application blocks the IP address for a particular period of time till the block expires (Nice right ??????? what could possibly go wrong??????)
What the developers of the web application forgot to tell the CMS was that “Hey don’t trust user input in the X-Forwarded-For header if you trust it bad things might happen” and due to this just a hacker that is knowledgeable in python programming language knows that he/she can mess around with headers and create a script that ensures that every login attempts that he/she sends to the server has a different value in the X-Forwarded-For a concept commonly known as spoofing attacks (mostly seen in MAC addresses spoofing) meaning the server doesn’t keep track of theIP address anymore meaning we can do a bruteforce on the web application if we have any possible usernames or password ( Cool right ?????) and that’s how the vulnerability arises
Navigating to the admin page we get a login page
Assuming that i have a bunch of credentials that i would like to try on the web application using python
I didn’t create the python bruteforce rastating did and also discovered the vulnerability i just took the crude script and modified it to my liking.
So that it opens up a file and uses that wordlist to bruteforce a bunch of password given a possible username and as a proof of concept I’ll give the output of a bruteforce attack that happens and after 13 attempts we get a right credential for the CMS but remember we were supposed to be locked out after 10 attempts
Voila we have valid credentials to log into the CMS
Before using the script take the crude one and try to modify it by yourself it’s a good learning exercise that teaches use you about input output operations using python and if you get stuck I’ve left a link below to my GitHub page that you can download the modified script and use it
I’ll be releasing the entire write up when the box retires but as of now it’s goodbye folks till next time take care and if you liked the article clap for me down below