Blunder | HackTheBox Writeup

Overview

Blunder is a easy Linux-based machine in HackTheBox

User Part

Start with nmap scan found 1 open port

Port 21 is closed and 80 is open, So let’s check te website, nothing much in the webpage

let’s check robots.txt , nothing here

So i run gobuster to bruteforce the directories and files and i got 1 intresting file ‘todo.txt’

While reading the paragraph , you can understand ‘fergus’ is the username

 

Then I went to the ‘admin’ directory and found bludit CMS is using, while checking source code I found the version number also

Then i used searchsploit to search exploit and i found Authentication Bruteforce vulnerability

Then I downloaded the exploit, then I converted the code using ‘dos2unix’ and I need to install some requirements.
I converted the file with dos2unix is ,because sometimes I am getting errors

Then I tried some common passwords, but they are wrong. so I used ‘cewl’ command to download a custom wordlist of passwords from the website

I tried with custom wordlist and got the password and now i can access the dashboard

while I am searching the issues of bludit in GitHub, i found a RCE in version 3.9.2

Then i search for exploit and got 1 exploit

The exploit is Authenticated RCE i gave the credentials and i got reverse shell

I tried to get user.txt but permission is denied, so i look into the directories, I found an interesting part of bludit.
In the folder, I found 2 bludit versions directories,
I know we exploited with version ‘3.9.2’.So I looked into version 3.10

I got some interesting part in users.php which contains hash of password

I cracked the password with the help of crackstation.net

Then i tried the password with username hugo and the password is correct

Root Part

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

I found the version of sudo is older and exploitable

This is the full exploit in exploitdb

I got root shell using the command and got ‘root.txt’

Share on facebook
Share on twitter
Share on linkedin