038#:HTB - Blunder
Today I am going to take a stab at Blunder on Hack the Box. I have been getting humbled by the Active machines the past couple weeks and need a win to get me back on track. As usual, let’s get an nmap scan going.
Started fuzzing site directories and pulled up the page in my browser.
Nothing in the source code for the page and not much to click around on. I began checking out the directories we discovered with gobuster. On the /admin page we can see they are using Budit CMS (I just googled BLUDIT since it seemed odd). In the source code for that page we may have a version of Bludit too, 3.9.2.
Over at /todo.txt we get a username and a note that the CMS needs updating, probably because it is vulnerable.
We have some promising options here, let’s give it a go.
I had to edit the file to fix an error (see where I specified ‘encoding=’latin1’). I also realized I wasn’t targeting the login page. I was able to get it to run, but after a while I didn’t have a hit so I canceled it for now.
There was mention of a metasploit module for this, so let’s give that a try next. When I loaded msfconsole though they had one exploit that needs credentials to work. We might come back to that, but for now I decided to look at the logon interaction in Burpsuite.
We can see we have a bludit cookie and I also found that the login path is actually /admin/login. I decided to run the brute force script again while I continue to poke around.
After a while I needed some help. I decided to skim the reviews for this room, it doesn’t have a great rating so I thought we might get an idea of a common pain-point. I noticed people upset about bruteforcing and mentioning cewl. I am still waiting on this admin login brute force and I’m not familiar with cewl, so I spent some time researching that.
This is actually really cool. I just modified the “cewl usage example” from Kali’s documentation and easily made a wordlist to use. I hadn’t know about this so I made sure to update my notes for future use.
Nice! Let’s log in with our new account.
I tried to get some other user info but we don’t have the rights. Let’s revisit that metasploit module now that we have a valid login though.
There we have our initial access. This meterpreter session was a bit annoying though so I switched it out for a bash reverse shell and stabilized it after. Poking around, I found that the Bludit admin’s username is Hugo and what looks like a password hash.
I dropped the password value in dCode’s cipher identifier which pegged it as SHA-1. Their decoder actually gave me the cracked value too.
I can’t log into the Bludit portal with that password as admin or hugo though. Trying to switch users to hugo proves successful though!
Here we get our first flag and we also note the shaun user from their home folder.
I briefly checked our sudo rights before jumping over to the /tmp folder and transferring a copy of linpeas.sh. I didn’t spend enough time here trying to understand what the sudo rights meant beyond the fact that I couldn’t run bash as root. I would later realize my mistake here.
Pretty early in the results we see a very high probability for a PE vector.
I noticed that the PE vector flagged is actually newer than the room, so we are going to skip that out of respect for the craft. I found another one I wanted to explore though, CVE-2019-7304. This was a bad hit though and didn’t apply here. I moved on to explore various folders and found some interesting stuff in /ftp.
Its been a few days since I’ve worked on this room. Once I had shell as hugo again I double checked the sudo rights out of habit and realized I didn’t fully understand what it was saying. So I looked it up to find that I am allowed to run /bin/bash as any user except root. I think we may be able to get shell as shaun using this permission.
Nice! Completely missed that the first time through, a good reminder that stepping back from a challenge can be good at times. I began poking around shaun’s home folder for anything interesting.
I found some png files in their /Pictures directory, but I had a hard time getting them to my machine. I tried running a python http server from the victim but that stalled out. I ended up using netcat to transfer the file which was new for me and a good one to keep in mind. I added this method to my notes for the future.
So what are the images?
Well that is the root flag. I was surprised to find the root flag without ever getting root. I double checked to see if I was the only person in this room just in case it was another users work, but this looks like it.
After manually typing out the flag in the photo though, it appears this flag is not current. That makes more sense. Let’s see if that poc used is still in /usr/local/sbin.
Hmm, their exploit isnt there but visudo is in its place. I checked the version and looked for exploits. When I googled “visudo 1.8 exploits”, I found CVE-2019-14287. That article walks through how it works. Google’s AI summary was actually very useful here was well.
I had to switch back to hugo first since we don’t have shauns password to run a sudo command. But as we can see this worked to get us root and our final flag!
This room was actually really cool and I don’t think it deserves the lower star reviews it had. I learned about cewl, using nc to transfer files, and I think the privilege escalation path was engaging.
Plus the only help I ended up needing was reading some of the reviews. I try to approach these in a way where I hold off using hints as long as possible, and if I do I would prefer the least amount of hint as possible. Overall a good time.