Skip to main content

HTB BLUNDER WALK-THROUGH


HackTheBox is an excellent platform for various pen-testers to increase their testing skills and knowledge.
Machine Level -Easy
Machine Name -Blunder
Machine OS -Linux
Machine IP -10.10.10.191
Tools:
Nmap -Nmap is a fantastic tools for scanning the open ports, services and OS detection. You can use other tools other than nmap (which ever you are more comfortable with ) like masscan, SPARTA etc. to scan for open ports.
Method:
Scanning the machine is the first step(i.e. Enumeration).
Use the command sudo nmap -sSVS 10.10.10.191, this will scan for open ports and services on the host.
The scan shows port 21 and 80
Since port 21 seems to be closed , we have only port 80 to enumerate.
It's running Apache Server. Let's enumerate it.
A lot of text here. Maybe something interesting is in here like a username or a password, but only if we can login somewhere.
Let's do directory busting and see if we find something interesting.
Command is dirb http://10.10.10.191/
There's a admin page and a text file(robots.txt).
Let's visit the admin page.
We need a username and password.
Let's do more enumeration before we try to login.
robots.txt file does not have anything interesting.
Let's use wfuzz tool and see if find more hidden directories.
Command is
wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.10.10.191/FUZZ.txt
 ( we are looking for text files).
There's todo.txt file
Let's see it.
"fergus" , that's interesting , maybe it's a username. But we did not find any passwords.
Should we use the words present in the default page(port 80) and try brute force?
No, we should not. First lets enumerate the Bludit admin page.
I found a rastating git-hub page for Bludit Brute Force Mitigation Bypass.
The problem was that if you try to do normal brute force then the server would block your IP address after 10 attempts for a certain time span. However this script will spoof the IP address and you won't be locked out.
The script rastating made could do a brute force and does not gets blocked.
Modified script can be found here.
Let's first grab all the words from the web page.
We will use tool named cewl to grab all the words and save them in a file.
Command is
cewl -d 10 -m 1 http://10.10.10.191 > test.txt
Let's modify the script to our need.
Set the host , username and path of your password file that we just generated.
All set , let's do the brute force attack.
It will take a minute, trying various passwords.
Password found!
Username is fergus
Password is  RolandDeschain
Let's login in the admin page.
Login success.
Search for Bludit exploit on google and you should find this exploit.
Scroll down to see the module options.
Copy the modules exploit.
Open your metasploit using command msfconsole.
We need Bludit password ,username and the rhosts.
We know all of these.
Let provide these details.
All set, run the exploit.
Meterpreter shell opened.
Let' see what privileges we have.
Let's see if we can grab the user flag.
Failed. Most likely we do not have permission to access it.
Let's create a interactive shell and also escape the tty shell.
Command is python -c 'import pty; pty.spawn("/bin/bash")'
Let's try privilege escalation.
Use command su hugo
Seems like we need  a password for hugo.
Let's do some enumeration and see if we find the password.
I found the password here. But seems to be encoded.
Copy the hash and use online tools to crack the hash.
So the password is Password120
Let's try it.
Success! Let's grab the user flag.
Moving on for the root flag.
Let's do sudo -l and see if we can do privilege escalation.
We can run this command and gain root privileges.
First let's search for this on google.
I found the exact command that we need to run (Exploit database , Exploit No. 47502)
Let's run the command
sudo -u#-1 /bin/bash
Success. We are root now. Grab the root flag.
Thanks for reading.

Comments

Post a Comment

Popular posts from this blog

Beginners Code Review Part 1

  Image credits to  Leobit This is a walkthrough of an exercise created by  PentesterLab  as a free course for learning beginner-friendly source code review. The link to the source code is here . Either clone it or download it as a zip locally. As instructed in the exercise we won't run the run, just read through the source code and look for possible weaknesses that we can leverage into vulnerabilities. LIST OF WEAKNESSES You can find below the list of issues present in the application: Hardcoded credentials or secrets Information leak Missing security flags Weak password hashing mechanism Cross-Site Scripting No CSRF protection Directory Listing Crypto issue Signature bypass Authentication bypass Authorization bypass Remote Code Execution Hand-On Findings and Objectives * Hardcoded credentials or secrets      ...
Post a Comment
Read more

VULNHUB INFOSEC PREP : OSCP

Welcome to the walkthrough of InfoSec Prep: OSCP walkthrough. It is a beginner-level boot2root machine and it can be downloaded from  here . I cracked this machine literally 5 minutes after it booted properly. So you can consider this machine the easiest.  Hint: Nmap Finding secret.txt and decoding it. Login via ssh. Privilege escalation to root via SUID binary.  Boot up the machine and it should show the IP address. We start off by pinging the box to verify that the box is up and running and we can reach out to it. Command: ping <IP> Then we can run Nmap scan to look for open ports and services running on the box. We will use -sC for running default scripts, -sV for Version/Service info and -T4 for faster execution, and -o for saving the result on a file named nmap The command is: sudo nmap -sC -sV -T4 <IP> -o filename Looking at the scan results, port 22 is open and running ssh, and port 80 is open, and it's running Apache. We can also see a directory named ...
Post a Comment
Read more

HTB LAME WALKTHROUGH

HackTheBox  is an excellent platform for various pen-testers to increase their testing skills and increasing knowledge. Machine Level -Easy Machine Name -Lame Machine OS -Linux Machine IP -10.10.10.3 Tools: Nmap  -Nmap is a fantastic tool for scanning open ports, services, and OS detection. You can use other tools other than Nmap (whichever you are more comfortable with ) like Masscan, SPARTA, etc to scan for open ports. Metasploit  -One of the most common and widely used tools by pen-testers to launch exploits, it is maintained by Rapid 7. Many books are available to understand the features of this tool. We will be performing the attack by two methodologies (using and without using Metasploit). Methodology 1 (using Metasploit) Scanning the machine is the first step(i.e. Enumeration). We use the following Nmap command, nmap -sSVC 10.10.10.3 (we can run the command with sudo privileges if an error occurs regarding privileges.) The command scans f...
Post a Comment
Read more