HackTheBox Writeup — Blunder

This is my write-up for the HackTheBox machine ‘Blunder’, which runs a Linux OS and is one of the ‘Easy’ rated machines.

1. HackTheBox — Blunder Info Card.

1. Summary

The initial foothold on this box involves gaining access to BluditCMS via a brute-force password attack, after which we obtain a reverse shell by exploiting a Directory Traversal Image File Upload Vulnerability. Inspecting the BluditCMS files on the box we find a password belonging to ‘Hugo’, which lets us get user.txt. To get root, we exploit the recent vulnerability found in all versions of Sudo < 1.8.28.

2. Enumeration and Initial Foothold (www-data)

As always we start with an nmap scan to see what services are running and ports are open.

2. Nmap Scan — Blunder.

Just the one port open, a web application. Lets check it out.

3. Blunder Web Application — Blog.

Nothing too interesting on the home page, let’s get throw wfuzz at it and see what it finds.

4. Wfuzz Directory Bruteforce

Wfuzz found a number of potential avenues. After inspecting them the only one with some value was /admin/, which finds the BluditCMS login page.

5. BluditCMS Login

I also inspected the page source which told me this was version 3.9.2. Researching online about BluditCMS 3.9.2 vulnerabilities, I found a brute-force protection bypass vulnerability that would allow me to brute-force the password providing we had a valid username.

Being fairly certain this was the avenue to follow, I carried out more enumeration. After multiple scans one finally returned good, fuzzing for ‘.txt’ files specifically identified a ‘todo.txt’ hidden on the web server.

6. Wfuzz ‘.txt’ File Bruteforce.
7. Blunder — Hidden Todo.txt

Fergus? Looks like we have our username! Now I can re-visit the brute-force bypass vulnerability, for which I found a PoC script by rastating.

What I liked about this box was the script needed considerable editing, especially in the realm of the password list used, as the original script just used some fake data and eventually the real password for a PoC. To generate a password list, I used ‘Cewl’ on the home page of the blog page.

8. Password List — Generated with Cewl.

Then made the applicable changes to the script.

9. Altered BluditCMS Brute-force Bypass Script

The brute-force actually took a while, so for the sake of a concise PoC screenshot I cut it down after finding the correct password.

10. Successful Brute-force — Fergus’ BluditCMS Password

Logging into BluditCMS with these credentials didn’t reveal any immediate reverse shell capabilities, so I further researched BluditCMS vulnerabilities and found a Directory Traversal Image File Upload Vulnerability (CVE-2019–16113) which also has a Metasploit module available.

11. Metasploit — Required Bludit Exploit Parameters

Running the exploit with the above parameters gets us a meterpreter session! However, this is very limited, so I decided to throw a more stable netcat reverse shell back to my machine, which can be found on PenTestMonkey.

12. Increasing Shell Stability.

3. User (Hugo)

There were two users on the box, Shaun and Hugo. After obtaining a shell as www-data I always enumerate in the /www/ directory in case there are any databases or configuration files that may contain credentials.

Sure enough this was the case here. The box actually contained another (updated) version of BluditCMS which seemingly hadn’t been rolled out yet, but after inspecting some of the .php files we find Hugo’s hashed password!

13. Finding Hugo’s Password

I used crackstation.net to crack the password, which was successful. This left us with the following credentials which can be used to move laterally and login as Hugo:

Username: Hugo | Password: Password120

14. User Shell and User.txt

4. Root

Running the standard Linux enumeration techniques quickly found the escalation path to root, identifying Hugo’s sudo permissions on /bin/bash. If you’re after a great blog post that explains the techniques i’m referring to, I recommend this blog post by Sophia of SecQueens.

15. Sudo Permissions for Hugo.

The sudo permissions above essentially means Hugo can run /bin/bash as any user except the root user, which sounds fair, right? Unfortunately not, CVE-2019–14287 describes how sudo’s function to convert a given ‘userID’ into its corresponding ‘Username’ incorrectly parses certain values, such ‘-1’ or its unsigned equivalent ‘4294967295'.

This vulnerability is present in all sudo versions < 1.8.28, and is only present in non-default configurations of sudo.

We can abuse this to run /bin/bash as root and escalate to a root shell.

16. Root Shell

And finally, the root flag!

17. Root.txt

Conclusion

Thanks for reading and keep an eye out for future writeups! Feedback is always welcome through, and my HackTheBox profile is linked below :)

--

--

--

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Guidance of Social Recovery in Polkawallet

Who is HIGZ on OpenSea?

{UPDATE} Alicorn Simulator 3D Hack Free Resources Generator

THE CASE FOR EMAILING… DIFFERENTLY

Cybersecurity-Why It’s Part of Your Safety Plan (Whether You Know It or Not)

The Developer’s View of Consent Management Flow of Consumer Data Standards for Banking in Australia

Corazon Crypto Hardware Wallet

Corazon Crypto Hardware Wallet

Skimmer Scanner Scammer

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jack Roberts

Jack Roberts

MSc Cyber Security Student at Lancaster University. Mostly posting CTF writeups from HackTheBox, TryHackMe and VulnHub.

More from Medium

TryHackMe | CTF | Walkthrough | Raven

HTB: Valentine Writeup w/o Metasploit

HacktheBox [Toolbox]

PWN Tips && Tricks — LINUX