Blunder- Hack The Box
Summary
Blunder is a Linux easy-level box from Hack The Box. It consists of finding credentials using the cewl tool to log in to Bludit Portal. RCE exploits to gain an initial shell, then some database files can be read to get credentials for another user. Finally, a root shell can be spawned using sudo security bypass.
Foothold
After the port scan, we discovered two open ports. Port 21 and port 80.
Note: Read the command and flags explanation
- sC: To scan with default Nmap scripts.
- sV (Version detection)
- oA: To write the output file in the three major formats at once.
Enumeration
Nothing significant on the web page.
Let’s try directory brute-forcing. We have run gobsuter with -u for the url, -e for the extension.
#Command
$ ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.10.10.191/FUZZ -e .txt
We have found /todo.txt directory with the following notes are discovered:
The CMS version isn’t updated yet, so we need to know its current version and there is a user called Fergus.
In the Todo list, we have a username called Fergus. We need a password, let’s try brute-forcing the password by creating a password list from the common words in the website using cewl with the -d for depth of the search, -m for min length of the password, and -w for the output
#Command
$ cewl -m 14 -w /root/htb/machine/blunder/wordlist1.txt -d 0 -v http://10.10.10.191/
We have found 2 passwords.
Let's try the password RolandDeschain on the Bludit login portal.
We have successfully got the login
We can upload an image. I tried a few different methods to upload the image shell. But nothing worked for me.
We found the bludit exploit in Metasploit.
Reference:
After giving credentials we have a shell now.
Enumerated more and found the credential for the Hugo user.
Using the crack station to get the plaintext password.
Reference:
We switch to the Hugo user and we can read the user.txt flag.
Privilege Escalation
We started with sudo -l
When we do sudo
it doesn’t check if the user even exists or not, so it tends to execute it with the specified argument as a user itself. Now, -u is used to define the user itself, and #-1 will return 0, the default value of the root itself.
#Command
$ sudo -u#-1 /bin/bash
We are root now.
Reference:
Thanks for reading.
Hack The Box Profile: https://www.hackthebox.eu/profile/116842