Hack the Box: Blunder
Hi, this is 079 and this is my first hacking walkthrough.
Introduction
You don’t see hackers in your everyday life, but you might have seen hackers in movies.(Probably wearing a hoodie.) With their laptops, they’re able to infiltrate into the largest companies and spy on anyone they want.
You might have thought, ‘I want to be like that one day’, but never had the chance to learn it or even try. Today, I’m going to give you a quick overview on how a realistic hacking process functions.
Phases of hacking
Reconnaissance is just gaining as much information as possible about the target, such as network, host, and the people involved who might hold potential credentials.
Two major segments of reconnaissance:
- Passive: accessing target website, social media, anyway that does not access the target directly.
- Active: Directly interacting with the target, like using Scanning tools.
Scanning is exactly as it sounds, scanning the target.
- Port scanning: using scanning tools like Nmap will reveal open ports, live systems, and services running on the ports.
- Network Mapping: You’ll use this when dealing a bigger network, scanning for routers and firewalls are your goals.
Gaining Access is the phase where the attacker breaks into the system and gain user privilege, and maybe even administrative privileges. There are many ways to penetrate into the system depending on the services and vulnerabilities- I will demonstrate later on.
Maintaining Access, there are many things you can do once you’re in the system. Depending on your goal, you might want to reconnect into the system tomorrow without going through the process above, this can be achieved using Trojans, Rootkits, or Backdoors.
Clearing Track is where the attacker erases all of its tracks after the attack.(If you don’t want to get caught.) Deleting logs, registry values, and uninstalling applications used are examples.
Still, it is hard to grasp how these work with just words. But before we get into it, let’s define some words. You don’t have to read this section if you already know these terms.
CVE: Common vulnerabilities and Exposures are basically any known vulnerabilities that are associated with certain program or version that we can exploit.
Vulnerability: Basically security hole on the target system that we are trying to exploit.
VPN: You probably heard it and maybe used it before, a virtual private network allows you to securely connect to other private networks through the public internet.
sudo: sudo is a tool in Linux that allows you to run commands as another user.
rainbow table: Contains already-calculated hashes and passwords that we can reference.
shell: Ever saw a black window with white texts on it? A CMD?
This program allows you to interact directly with your compuer!
root: Also known as superuser or administrator, you have the overall control over the system, as a hacker, getting a root-shell is your ultimate goal for the most of the time.
Now let’s get right into it.
Our target is 10.10.10.191 in hackthebox.eu A.K.A. “Blunder”, you won’t be able to access it right now because you need a hackthebox.eu VPN to access it.
sudo openvpn 079.ovpn
Establishing connection with the VPN(my username is 079 in hackthebox.eu)
We can confirm the connection was established by typing ifconfig tun0.
My IP is 10.10.15.71 within the network.
Remember Reconnaissance? Let’s access the website at 10.10.10.191.
It looks similar to my own website, boring, and nothing interesting yet.
Scanning
I scanned the target using Nmap.
It reveals that port 21 for FTP and 80 for HTTP are open.
FTP server is closed though.
I’m going to brute force the subdirectories of the website using wFuzz.
There are other tools to brute force subdirectories such as gobuster and dirb, but wFuzz is got to be my favorite.
After some fuzzing, wFuzz gave me some interesting pages: install.php, robots.txt, todo.txt, about, admin, etc.
Let’s access todo.txt.
Ah, that’s why FTP server was down. Wait, but who’s fergus? He might be a potential user(target).
Let’s access /admin.
Going to /admin gives us BLUDIT with login interface. This is a CMS, Content Management Systems are there to help webmasters(admin) to manage their own websites. Username ‘admin’ and password ‘admin’ unfortunately didn’t work.
After looking up about BLUDIT CMS and CVEs, I came across this analysis
It uses CVE-2019-17240 to brute-force passwords using wordlists by rotating fake IPs in the X-Forwarded-For header.
But which wordlist are we going to use?
Well, this fella seems to REALLY like Stephen King, and writes a lot about computers as well?
We could use CeWL to generate our custom wordlist by extracting from the website.
The wordlist is now saved into wordlist.txt.
With our custom wordlist and exploit from github, we can abuse this CVE.
Launching the script will brute force the password.
Voila! the password is RolandDeschain
I could successfully login into BLUDIT using fergus:RolandDeschain.
searchsploit might give us some vulnerabilities that might be associated with BLUDIT and give us a foothold on the system.
To use it, we launch Metasploit.
I’ve set the LHOST(listening host, me) as 10.10.15.71, RHOST(remote host, target) as 10.10.10.191, and set the credentials as fergus and RolandDeschain.
Ready, set, go.
Spawned a bash shell using python pty.
Now, we have gained an access, although it is just an www-data foothold, not a proper user.
After some file enumeration, we file user.php that contains hashes.
Looking up at the rainbow table gives us the decoded result of the SHA1 hash: Password120.
I could have used John the Ripper or Hashcat, but for time’s sake I recommend consulting rainbow tables first then moving on to password cracking tools.
Got the user access as well as the user flag.
sudo -l to list user privileges.
It says that the user can run /bin/bash as any user except root.
Using CVE-2019-14287, we can get a root shell.
Voila! Nothing fancy here. Was this something like you thought? Although this was an easy box, I’m sure it gave a good overview of how basic hacking works.
Thank you,