HTB — Blunder Walkthrough

Exploitation using metasploit.

Image for post
Image for post

Information Gathering and Enumeration:

#NMAP Scan:
sudo nmap -A -T4 10.10.10.191 -oN nmap_blunder
-A =
Enable OS detection, version detection, script scanning, and traceroute.
-T4 = Set timing template (higher is faster).
-oN =output to file as Normal.
nmap_blunder = output file.

Image for post
Image for post
There is only one port open which is the TCP port 80.
Image for post
Image for post
Browse the web page for more information. One hint is that one of the words here is the password for the website.
Image for post
Image for post
Information from the Wappalyzer.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Bludit is an interesting information. Bludit is a CMS(Content Management System)
Image for post
Image for post
No useful information here!
Image for post
Image for post
Here we have information that this is indeed a CMS, the FTP is turned off which is also shown in the NMAP scan, Old users are removed, and we have a user name “fergus”.
Image for post
Image for post
Install Foxy Proxy or enable proxy manually from your browser.
Image for post
Image for post
Once traffic is intercepted from the Proxy, right click then hit “Send to Repeater”.
Image for post
Image for post
The website is using CSRF token so hydra http-post brute force iss unlikely to work. Luckily we have available python script.

Exploitation:

#Python script for brute forcing CSRF Token:

Image for post
Image for post
So far we have set the username as “fergus” but we still need a wordlist for the password.
Image for post
Image for post
There are 142 words that have atleast 7 words in them gathered from the web page. This is done instead of a typical word lists since one of the hint says that one of the words on the web page is the actual password.
Image for post
Image for post
Start python script for brute forcing.
Image for post
Image for post
Successfully brute forced the login.
Image for post
Image for post
Image for post
Image for post
Successfully logged in using the credentials gathered.
Image for post
Image for post
There is an existing metasploit exploit module.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
The required field will have to be filled in.
Image for post
Image for post

Post exploitation and privilege escalation:

#Go to shell and improve it using python:
shell
python -c ‘import pty; pty.spawn(“/bin/bash”)’

Image for post
Image for post
Image for post
Image for post
Unable to read user.txt so privilege must be escalated.
Image for post
Image for post
Unable to read .ssh file.
Image for post
Image for post
We got the password but it is hashed.
Image for post
Image for post
Plaintext is Password120.
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Image for post
Privilege escalation is still needed for root.
Image for post
Image for post
Successfully gained access as root..

Written by

Experienced Network Security Engineer with a demonstrated history of working in the field of IT security industry.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store