HackTheBox — Blunder

Summary

Another linux machine are retired with IP 10.10.10.191

Let’s get start!

Enumeration

Just one port is open 80, So nothing interest!

I tried to FUZZ the directory by drib, I found admin/login page

Exploit

When i tried to see page source, I found Bludit version 3.9.2
So i tried to find any cve for this version and i found CVE-2019–16113, CVE-2019–17240 and found python script to start brute force attack Bruteforce

We can find first cve exploit in Metasploit

Get user Access

Didn’t find user flag, But I found user credentials in users.php

Now we get pass hash, so need to decrypt, I used hashcat and rockyou.txt word list and get the password: Password120

Now i tried to get hudo access with this credentials

Gain user flag!

Privilege Escalation

After some search about (ALL, !root) /bin/bash
found this link:https://n0w4n.nl/sudo-security-bypass/

So i tried to get root with command: sudo -u#-1 /bin/bash

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox