Capture the flag (CTF)

Hack the Box (HTB) machines walkthrough series — Blunder

Security Ninja
December 8, 2020 by
Security Ninja

Today, we will be continuing with our exploration of Hack the Box (HTB) machines as seen in previous articles. This walkthrough is of an HTB machine named Blunder.

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Blunder, is retired.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

The walkthrough

Let’s start with this machine.

  1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.
  2. The Blunder machine IP is 10.10.10.191.
  3. We will adopt our usual methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information as possible.
  4. As usual, let’s start with the Nmap scan to gather more information around the services running on this machine. [CLICK IMAGES TO ENLARGE]

    nmap -sC -sV -oA Blunder 10.10.10.191

  5. As we have the ports opened, I looked into the website landing page but could not find anything useful.
  6. Let’s perform directory brute-forcing using Gobuster, as shown below. We immediately got hits on a few directories.
  7. Among the identified directories, admin looks promising. Enumerating the page, it looks like a login page for “BLUDIT”.
  8. Searching at available exploits for BLUDIT, we got some hits. All of them require a username and password.
  9. Going back to enumeration, let’s try to fuzz the pages from the website. For extension .txt, we got hit on robots.txt and todo.txt.
  10. Hovering over to todo.txt, we got TODO items below. Seems like “fergus” is a user on the system.
  11. Let’s use cewl to build a custom wordlist from the website, as shown below.
  12. Now we can brute-force the BLUDIT login page from this, but there is a blocking feature in BLUDIT that blocks IP address if username and password tries to exceed a certain limit.
  13. Looking at this link, it seems like the problem is already solved. We just need to modify the script as per our server creds and to read from a file.
  14. Once we do that, we can run the script and find the below password for the user, after which we can log into the website.

  15. Looking at available exploits, I can see that there is a ready MSF exploit. Let’s use that, as shown below.
  16. Setting up targets and other parameters. Running the exploit works like a charm and we got the shell!
  17. But the shell we got is a limited one, so let’s upgrade our shell with a Python break.
  18. So user.txt is another user. I looked into current directory databases and got the hashes below. I tried for admin, but was unsuccessful with online tools or using Hashcat/John.
  19. I moved back a few directories and noticed that there is another version of BLUDIT there as well.
  20. Checking the database content under this installation, we got hash for user “hugo”. Interesting. And guess what hash was also cracked?

  21. Switching to user “hugo” and grabbing the user.txt flag.
  22. Checking sudo permissions of HUGO users, we got something interesting
  23. This looks in line with CVE-2019-14287. Exploiting it with the command, as shown below, gives us a root shell.
  24. Enumerating to grab the root.txt flag.

And we’ve got it!

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

So, this was an easy box from the HTB, which requires a bit more enumeration to gain the initial foothold. Escalation was very easy and straightforward.

We will continue this series with more examples of interesting HTB machines.

Security Ninja
Security Ninja