Official Blunder Discussion

@waido said:

Hi,

I need some help (in DM) for privilege escalation.
I’m stuck on www-data user.
I used LinEnum and LinPeas to look for some clues but I didn’t find anything.
I searched for zip and backup file … nothing.
I searched for (valid) passwords in text files … nothing.
I searched on Google for “Ubuntu 19.10 privilege escalation”, I found something about sudo but it’s not applicable.

In very general terms manual enumeration is much better than scripts.

Thanks in advance

[EDIT]

Uhm … I haven’t tried the bruteforce of the u*****. php file yet … my next step

As a rule of thumb for HTB, if it doesn’t crack quickly it might not be the right thing. For attacks like this, try to have an idea of what account you are looking for and a reason to think it should be active on the machine.

@in3vitab13 said:

m doing it with hashcat (s**1 -algorithm)…still it terminates as soon as i start it!
and the websites you mentioned couldnt guess it!
anything else i should try?!!
you sure its in rockyou?

I don’t think it is in the default rockyou, but I could be wrong. If you have the right thing, there is an online tool which solves this for you in seconds.

If you have the wrong thing, you could spend months on this. If you are in any doubt, check you have a good reason to think the thing you have will work.

@BIGGYBBQ said:

Hi,

I’m stuggling with the initial foothold :frowning: i guess i have the username (which is really common for the management page). I tried to bruteforce the password with no result…

maybe my username is not the right one ?

Thx

Almost certain that you have the wrong username.

@andrhtb said:

How did you guess the password here?

I don’t think people guess - more likely they use a brute force approach with a custom wordlist.

Type your comment> @Redh00d03 said:

@in3vitab13 did you try “–force” ? Also, can anyone help me with the username I’m lost? I think I have tried all the ones I can think of with a cool list of words. Any help would be appreciated.

ohkay i try --force!
are you talking aboout username for b****?! or anything else!

@Redh00d03 said:
@in3vitab13 did you try “–force” ?

still getting exhausted, just like before!

Type your comment> @s0b3k said:

My current issue is that I get this message in msf and it doesn’t create a session
[] Started reverse TCP handler on CENSORED
[+] Logged in as: f***** (I censored this as well)
[
] Retrieving UUID…
[] Uploading xCwhiPoQRB.png…
[
] Uploading .htaccess…
[] Executing xCwhiPoQRB.png…
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[
] Exploit completed, but no session was created.
Am I using the wrong payload or is it a issue I havent thought of yet?

had the same problem!
then i switched to a python exploit , and it worked easily at once without an issue!
i suggest you do the same

for those struggling with cracking the hash!

  1. make sure you have the right hash
  2. also check the directory in which you found the file
  3. if its the right hash you wont need to worry about salt!

for root!
google has always been your buddy

“This exploit may require manual cleanup of ‘.********’ on the target”

Stuck here… is part of chall or is my problem only ?

Type your comment> @in3vitab13 said:

for root!
google has always been your buddy

Congrats buddy.
Always try to read older comments as it most probably have enough hints. :wink:

Pretty fun box, but I really didn’t have the attention span for the second step of the first foothold. ■■■■

root@blunder:~# id
uid=0(root) gid=0(root) groups=0(root)

Type your comment> @Jok3 said:

“This exploit may require manual cleanup of ‘.********’ on the target”

Stuck here… is part of chall or is my problem only ?

had the same problem!
found a python exp. instead of m**!
you could do the same!

I just stuck in getting the root.
I found user S*n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l
c…
So, am I in a wrong track?

Type your comment> @6uta said:

I just stuck in getting the root.
I found user S**n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l*c…
So, am I in a wrong track?

The root was pretty easy. Just sit back and think about what you see.

Open to PMs on this box. Initial foothold is killing me.

@JohnGuy said:

Open to PMs on this box. Initial foothold is killing me.

Make sure you’ve found the username and built your own wordlist. Then google how to byass the protection.

Finally rooted
Initial foothold:be cewl about the word list and make sure you have the right username
User: start enumerating from where you landed
Root:just google you privilege

PM if you need help

Rooted
root@blunder:/root# id && date
id && date
uid=0(root) gid=1001(hugo) groups=1001(hugo)
Mon 6 Jul 11:16:09 BST 2020
root@blunder:/root#

Foothold: Read the “index.html” and create your own wordlist (can’t say more).
User: Look at the directories you’ve first found when you accessed the machine and start enumerating from there.
Root: Find your privileges…

Type your comment> @Karthik0x00 said:

Type your comment> @6uta said:

I just stuck in getting the root.
I found user S**n is in group ld.
After googling, I found that I can get use of it.
But the machine is missing l*c…
So, am I in a wrong track?

The root was pretty easy. Just sit back and think about what you see.

So, I should let go “l * d” ?