Open in app

Sign in

Write

Sign in

Blunder- Hack The Box

cY83rR0H1t
4 min readMay 22, 2022

Summary

Blunder is a Linux easy-level box from Hack The Box. It consists of finding credentials using the cewl tool to log in to Bludit Portal. RCE exploits to gain an initial shell, then some database files can be read to get credentials for another user. Finally, a root shell can be spawned using sudo security bypass.

Foothold

After the port scan, we discovered two open ports. Port 21 and port 80.

Note: Read the command and flags explanation

  • sC: To scan with default Nmap scripts.
  • sV (Version detection)
  • oA: To write the output file in the three major formats at once.

Enumeration

Nothing significant on the web page.

Let’s try directory brute-forcing. We have run gobsuter with -u for the url, -e for the extension.

#Command
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.191/FUZZ -e .txt

We have found /todo.txt directory with the following notes are discovered:

The CMS version isn’t updated yet, so we need to know its current version and there is a user called Fergus.

In the Todo list, we have a username called Fergus. We need a password, let’s try brute-forcing the password by creating a password list from the common words in the website using cewl with the -d for depth of the search, -m for min length of the password, and -w for the output

#Command
$ cewl -m 14 -w /root/htb/machine/blunder/wordlist1.txt -d 0 -v http://10.10.10.191/

We have found 2 passwords.

Let's try the password RolandDeschain on the Bludit login portal.

We have successfully got the login

We can upload an image. I tried a few different methods to upload the image shell. But nothing worked for me.

We found the bludit exploit in Metasploit.

Reference:

Bludit Directory Traversal Image File Upload Vulnerability

Description This module exploits a vulnerability in Bludit. A remote user could abuse the uuid parameter in the image…

www.rapid7.com

After giving credentials we have a shell now.

Enumerated more and found the credential for the Hugo user.

Using the crack station to get the plaintext password.

Reference:

CrackStation - Online Password Hash Cracking - MD5, SHA1, Linux, Rainbow Tables, etc.

Enter up to 20 non-salted hashes, one per line: Supports: LM, NTLM, md2, md4, md5, md5(md5_hex), md5-half, sha1…

crackstation.net

We switch to the Hugo user and we can read the user.txt flag.

Privilege Escalation

We started with sudo -l

When we do sudo it doesn’t check if the user even exists or not, so it tends to execute it with the specified argument as a user itself. Now, -u is used to define the user itself, and #-1 will return 0, the default value of the root itself.

#Command
$ sudo -u#-1 /bin/bash

We are root now.

Reference:

Offensive Security's Exploit Database Archive

Exploit Title : sudo 1.8.27 - Security Bypass # Date : 2019-10-15 # Original Author: Joe Vennix # Exploit Author …

www.exploit-db.com

Thanks for reading.

Hack The Box Profile: https://www.hackthebox.eu/profile/116842

Hackthebox
Hackthebox Writeup
Hackthebox Walkthrough
Blunder

--

--

cY83rR0H1t

Written by cY83rR0H1t

102 Followers

MSc CyberSecurity |Cybersecurity researcher | OSCP | CRTO | CRTP |eCPPTv2 | eJPT | Hack The Box player | CTF player |

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams