This room on HackTheBox is categorized as Easy but as a beginner I still found it to be a bit tricky as there were many things that I had not experienced before just like a completely new way for me to enumerate credentials.

So, let’s begin!

Enumeration

Blunder sits at IP address: 10.10.10.191. So, the first thing that we can do is run an nmap scan against the IP address to check all the ports that are open over there.

It can be seen that there is only one port open and that is port 80 which is running Apache server, indicating that we can access the content hosted on it via a web browser.

It looks like this is someone’s personal blog where they upload their articles. We can start a directory traversal attack and meanwhile go through the source-code of all the pages on the website.

We can’t find any useful information from the source-code of any of the pages. So, the only option that we are left with is the result from directory traversal.

From dirbuster scan results, we can definitely visit two pages namely robots.txt and todo.txt along with the directory admin.

On robots.txt, we don't find any details but on todo.txt we can find a note.

So, now we have a suspected username fergus. We can move on and check the directory admin.

We can find a login page at /admin. Where we can try some basic SQLi attack along with default login credentials but none of them work. We can even try some common passwords with the username fergus but even they won't work. We can also check its source code in order to check for some information disclosure.

Here, we don’t find any useful hint but can see that this login page uses CSRF Token which is used as a method to avoid login brute-force attacks. With every new request a new token is generated and this needs to be submitted along with login credentials while performing a login. So, if we plan to bruteforce the credentials we need to figure out a method that along with the changing credentials we are sending the correct CRSF token with every login attempt else we won’t be able to find the correct login credentials.

Initial Foothold

From the login page, we get one hint and that is the term BLUDIT. We can try to look for it on google to see if it some known service and even try to look for some associated vulnerability.

The first result from google that we get is Bludit Directory Traversal exploit on ExploitDB. We can download the code, make necessary changes and try to it. But before that we can see that to execute the script properly we need a username and password along with the target URL.

We do have one suspected username fergus but no associated password. Even in the articles, we don't find any suspected password and there are no other hidden pages as well. We can try to get a list of words from the webpage using cewl and then try to use those words as a password for logging in. We can run cewl as:

This will create a list of words obtained from the webpage. With this we will get the output written in the file words. Now, we can use this list along with the username fergus to bruteforce the login. But the issue is CSRF token. And to avoid that we need to make a python script which will read the token and pass is in the subsequent request along with the updated password value.

You can find this script at: https://github.com/0xNirvana/Writeups/edit/master/HackTheBox/Easy/blunder/bludit_bruteforce_csrf_login.py

The script is working as:

  1. Open the wordlist named words and read it's content.
  2. Run a loop for all the words in the wordlist.
  3. In the loop, we are doing the following:
  • Request the login page to obtain the new CSRF token.
  • Create a custom list of value in the variable data that are to be sent to the login page.
  • Send the data to the login page through a POST request and disable redirects.
  • Check the response of POST request for the keyword 'incorrect'. This will help us to stop the loop when correct credentials are found because when we would have logged in there won't be the string 'username or password incorrect' present in the response.

P.S. I used burpsuite to check all the parameters that were being sent to the login page with every request and on the basis of that created the values in data.

With this, we get the correct password as well which we can try by logging in.

Now that we have the correct username and password, we can use the directory traversal exploit that we had downloaded earlier by making the correct changes to it.

On reading the script further, we can see that we need to create two more files which are evil.png and .htaccess. Lucking the commands to create those files are also given, so we can use those commands to create the required payloads.

Now, we can again try to run the script.

In the script, it is written that the payload uploaded can be accessed at url + /bl-content/tmp/temp/evil.png. But before visiting that page, we need to start a listener on port 4242 (In the script it is port 53 but I changed it to 4242).

We can see that we are logged in as www-data using the command whoami. On exploring the directories, we find out that there are two users on the machine hugo and shaun. And hugo's directory contains the user.txt file which is not accessible to us. Also, we can't see the output for sudo -l. The next thing we can look for is /etc/crontab.

But even her, we don’t find anything useful. We can try to look for the files that we can access using the find command:

The command returns a lot for files and directories but the most important one appears to be: /var/www/bludit-3.10.0a. So, we can start enumerating the files present in this directory and see if we can find something useful.

After going through multiple files in the mentioned directory. We can find credentials for the user Hugo in the file: /var/www/bludit-3.10.0a/bl-content/databases/users.php

We can use this password hash and head over to CrackStation to get the password.

Even though now that we have the credentials for user ‘Hugo’, we can’t switch user because we don’t have a stable shell. To convert this unstable shell to a stable one we can try commands like:

But none of these works. We can try to create a custom payload using msfvenom, send it to the target machine and execute it as:

And this payload to the target machine by starting a python3 -m http.server on our attacking machine and using wget on the target machine. Once, the file is downloaded we can change it's permissions to executable and run it. But even this does not work.

Finally, I had some help from Gray-0men, who suggested me to start a python reverse shell from the unstable shell using the payload:

We can now start another listener on port 443 using the command nc -nvlp 443 and run the above command with our attacking machine's IP address on the target machine:

On target machine’s previously obtained shell:

On attacking machine:

We can now switch the user to ‘Hugo’ as:

And there we get the user flag.

We can now run the command sudo -l to check the commands that 'hugo' can run with sudo privilege:

Now the entry (ALL, !root) /bin/bash gives a direct hint towards the vulnerability CVE-2019-4287 which can be simply exploited as:

By exploiting this simple vulnerability we get root access and can read the flag as well!

With this, we pwned the Blender machine!

Some Key Points to Take Away

  1. When you have access to some articles try using cewl to obtain a list of words and use them to bruteforce login.
  2. If you are not able to make an unstable shell stable, try to get another reverse shell from the unstable shell.

Links Referred

  1. HackTheBox-Blunder: https://www.hackthebox.eu/home/machines/profile/254
  2. Bludit Directory Traversal Attack: https://www.exploit-db.com/exploits/48701
  3. CrackStation: https://crackstation.net/
  4. Gray-0men: https://github.com/Gray-0men
  5. CVE-2019–4287: https://www.exploit-db.com/exploits/47502

Do find my other work and walkthroughs at: https://github.com/0xNirvana

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store