Blunder: HackTheBox

This box is all about enumeration .

Summary

  • Directory busting to get the admin portal and todo.txt file.
  • Brute force password.
  • Exploit the file upload vulnerability to get the shell.
  • Enumerate the machine to escalate privilege.
  • Find exploits to bypass the restricted ability.

Nmap

Here we can see port 80 is open and 21 is closed.

Port 80

There is not much on the website itself. The about section has a bit of information “ I created this site to dump my fact files, nothing more “

Directory busting

Directory busting with gobuster with these arguments

/admin

Todo.txt

Here fergus could be a potential username.

First I manually tried brute-forcing the username with password, then got IP blocked message. On googling for BLUDIT vulnerabilities, we can find IP blocking bypass exploits.

Used this to brute force for passwords. First I used rockyou.txt, but could not find the password. Since the about page said, “ I created this site to dump my fact files, nothing more”. So I thought of creating a wordlist from the site.

Created a custom wordlist using cewl

Then modified script from this to fit our purpose to Bruteforce the credentials.

On running this we get the credentials

To determine the version of Bludit running, visiting

We get version 3.9.2. Googling this we can find RCE vulnerability present in this version.

Followed this https://github.com/bludit/bludit/issues/1081 issue on Github to get RCE.

First, create new content, and add an image

On uploading an image, it sends a post request with image data

Here uuid is the directory where the uploaded files are stored.

If uuid is set to ../../tmp/temp, the file gets uploaded to

Now if we change the request to

We get

It is uploaded but is not accessible

Following the exploit, we need to add .htaccess file with

We get

Even if we get file type not supported, we can access our payload. Now what this does is treats all .jpg as .php files as a result, we can execute our payload and get a shell.

Another approach was after adding the .htaccess if we added a .php file, the file type not supported error was returned. But the PHP file was could be seen in

Getting Shell

Hosted the file using python and downloading it in the machine.

After downloading we can see the reverse shell on

On running sh.php we get the shell with user www-data

There are 3 users with shells: hugo, shaun and temp. But hugo has the user flag.

First enumerated using LinEnum.sh, could not find anything. The todo.txt found in the initial step tells us about FTP. And there is an FTP directory in /. But it was a rabbit hole. It had a gzip compressed file on decompressing we get a tar file, on decompressing that we get a .wav file. Thinking it had something to do with steganography, I used stegcracker to extract data from that file. Found the password “sophie” and data to be base64 encoded string on decoding it we get hex value. Converting it to ASCII, we again get a base64 encoded string and on decoding it we get “fergus”. Well, it was a rabbit hole.

If we check the /var/www directory, we can see multiple versions of bludit files.

Since bludit stores the users in /bl-content/databases/users.php. On reading the 3.10.0a version file, we get the user hugo in there. The password is hashed.

Using crackstation to get the plain text password.

Switched to user hugo and got the user.

Root

So user hugo can run /bin/bash on all users except root.

First I tried to find if any user was in the root group but could not find any. So on googling around we can find this.

Following the exploit

Why did this work?

With this, I got the root access to the machine as well.

The initial foothold to the machine was a bit difficult. After getting into the machine, the automated tools didn’t give much information. The privilege escalation part was totally new to me. As a whole, this machine was fun to exploit.

Thank you for reading the writeup. Hope you find it insightful and feel free to comment if you think something could be done differently.