Edit: Because of new server the image files for this article are missing.
Initial Foothold:
Hello everyone. Today we are going to work on Blunder.
As always the first step is Recon! Time to see what ports do we have open on that box. In the picture bellow you can see the nmap command I used.
Well we have only one open port and that is port 80. This scan shows us also the server version and some headers. Usually when I am on a box with open port 80 I like to visit the page and see what it contains.
OK … that is what we have. A page with articles. My clicking on the links we just go to more detail text on the topic. In some way this looks like a wordpress site or something like that.
The next thing I always do is let dirb or some other busting programe to show me pages and places I can’t see. In the meanwhile lets take a more detailed look at the source code of the page.
By examining the source code we can see that we have version=3.9.2. But version of what? Lets check the dirb result.
Nice. I found a page with the word admin on it. That is really good. Checking out this page we are presented with a login form but most importantly a name! So now I have the name of the service “BLUDIT” and the version from the previous enumeration.
That is really good. After some googling I found how to bypass that and even more how to get a reverse shell. The process is described in this article that I wrote. Check it by clicking HERE. But before you go and read that we need to talk about more enumeration. We need at least a user name to be able to test passwords on. After some reading in the HTB forum I decided to fuzz because obviously dirb has missed something. Bellow you can see the command and which word list I have used. Many lists were tried so to say but this one gave result.
Lets go to this todo and see what we have there.
Well well… we have some info that we can use here. The last line is the most curious one. The name Fergus is spelled with a small letter. So I took that as the username. For the password list I tried many and then decided to take a look at the front page with all the text. My idea was to scrub the page and make a word list from it. After doing so by using cewl and applying the method from my previous article that I mentioned above I got username and password.
So now we have a username and password. We can login and take a look around. How to get the reverse shell tho? I tried first uploading a php reverse shell but instead I did some more google fu and found a metasploit module that will solve my problem.
After setting the proper variables I got meterpreter shell!
User:
So now lets find the user flag. This part is based on a lot of enumeration. Check every file that you can check. After some enumeration I found something interesting in /var/www/bludit-3.10.0a/bl-content/databases
Well we have a hashed password. Copy that and use some of the online tools to first check what type of hash it is and then decrypt it. The result will be that the password is: Password120. So lets change to the user hugo by using “su hugo”. Now go to /home/hugo and the flag is there! Well done lets go for the root.txt
If you get stuck join our Discord. Even if you are not stuck join and chat with like minded people.
Root:
The root flag was easy after some enumeration. First run uname -a to see what we have to work with. We get:
Linux blunder 5.3.0-53-generic #47-Ubuntu SMP Thu May 7 12:18:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
sudo -u#-1 /bin/bash – this will make us root! Go to /root and find the flag! We are done.
I hope you liked the write up. You can leave a comment and let me know what I can improve for my next write up.
