Official Blunder Discussion

Type your comment> @TazWake said:

@mokrunka said:

I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have ‘user’ or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can’t seem to figure that out. Any help for someone new to this?

If you have a shell on the box, you are probably in a “foothold” - enumerate. Look into the technology and find where it is likely to store loot. Look around and exactly where the real loot exists.

Find the loot, use it.

Then enumerate some more. Find a vuln published at the end of last year and privesc

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.*******’ on the target.

@mokrunka said:

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.********’ on the target.

You should be able to get MSF to work - possibly double check the options.

Type your comment> @TazWake said:

@mokrunka said:

Thanks @TazWake. I have tried both the ‘manual’ way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the ‘easy’ way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of ‘.********’ on the target.

You should be able to get MSF to work - possibly double check the options.

Yeah, beating my head against a wall here. I’ve tried several times, and I really think I’m putting in the right options and target/host info. Using a r******.t** shell, I’m still getting an error of 'This exploit may require manual cleanup of ‘.********’ on the target. Maybe that file has been inadvertently modified somehow.

Type your comment> @Karthik0x00 said:

I have seen that many people here are using MSF module to exploit the vulnerability. You can choose that as your wish.
But many are not configuring LHOST properly. Check options before exploit.

I still had to adjust the firewall to allow access to port 4444.

@mokrunka said:

Yeah, beating my head against a wall here.

Understandable. It is important to remember exploits are never guaranteed at the best of times.

It is not unusual to have to try an MSF exploit several times before it works. But it shouldn’t be hundreds if it is ever going to work.

I’ve tried several times, and I really think I’m putting in the right options and target/host info.

Ok, but really there are only a few possible scenarios here:

  1. You are using the wrong exploit
  2. You have used the wrong options
  3. Something on the box is broken
  4. Your system is preventing the reverse connection (Firewall or other security tool/privs)

If you are confident it is number 3, reset the box. If a reset doesn’t fix the problem it is one of the others.

Using a r******.t** shell,

I hope you are using a payload with a different name to that. Something along the lines of
//r_* for example.

I’m still getting an error of 'This exploit may require manual cleanup of ‘.********’ on the target. Maybe that file has been inadvertently modified somehow.

So, the easiest thing here is to read through the MSF Ruby file for the exploit to see what it does and what that message means. It may be irrelevant to the problem if it is generated under normal circumstances and if you haven’t got the exploit to work, you don’t know what “normal” looks like here.

If you read through the source code you can get an idea for what it is trying to do. It looks like the problem might be that it can’t write the file it wants to write, which is why it cant automatically delete it.

That implies the options aren’t correct.

tl;dr - reset the box, if that doesn’t work your options are wrong.

Type your comment> @TazWake said:

@mokrunka said:

Yeah, beating my head against a wall here.

Understandable. It is important to remember exploits are never guaranteed at the best of times.

It is not unusual to have to try an MSF exploit several times before it works. But it shouldn’t be hundreds if it is ever going to work.

I’ve tried several times, and I really think I’m putting in the right options and target/host info.

Ok, but really there are only a few possible scenarios here:

  1. You are using the wrong exploit
  2. You have used the wrong options
  3. Something on the box is broken
  4. Your system is preventing the reverse connection (Firewall or other security tool/privs)

If you are confident it is number 3, reset the box. If a reset doesn’t fix the problem it is one of the others.

Using a r******.t** shell,

I hope you are using a payload with a different name to that. Something along the lines of
//r_* for example.

That was my typo - yes, the payload I’ve been using is I think the one you’re referring to there (//r_*). I’ll give it a shot again today and see how I get on. Thanks again.

Anybody else having problems with the US VPN? I’ve gotten a shell, but I keep losing connection before I can really get anything else done. This has been happening from three different internet connections.

Hi!
Rooted this machine.
I would rename this machine from blunder to massive-overthink.
Really easy boys, enumeration is the trick, foothold is the “hardest” part, it can be very tiring if you are new to some tools.
Once you get in, search in files, I lost alot of time in rabbit holes, dont stress yourself.
Root took 2 commands. Check your permissions.

Root was surprisingly easier than I though, literally a one liner. People aren’t joking or exaggerating. Googled 2 things in sequence, and got the answer.

User was extremely easy, enumeration like everyone has been saying.

Initial Foothold is a bit confusing as to what you should do. But you have to go back to your caveman mentality and just force the door you might find.
:smile:

ROOTED!

There’s quite a bit of info in the comments. So my only hints are:

Foothold - read the comments
User - continue reading the comments
Root - read the comments some more

:slight_smile:

Got both flags but when i submit them i get the error “incorrect hash for blunder” . I tried to reset the machine but the limit is reached for today. Is my first box… Am i doing something wrong?

@slashviper said:

Got both flags but when i submit them i get the error “incorrect hash for blunder” . I tried to reset the machine but the limit is reached for today. Is my first box… Am i doing something wrong?

If you read through a few of the threads here you will see that this is an occasional problem.

HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

However, it also means that sometimes the hashes don’t load properly and it creates issues.

The main suggestions seem to be:

  1. reboot, repeat the pwnage, get the new flags, try them
  2. report it to HTB via a JIRA ticket and see if they can fix the issue

Rooted. PM for nudges.

just rooted the machine without even touching one of the users. does he have a purpose?

Dire need of help on root. I thought the user was pretty easy…everybody saying root is the easy part but I can’t for the life of me find it. I’ve got a shell with f***** user. Linpeas doesn’t finish the scan, so looking through what it gives me, I don’t see anything in particular. I’ve found a couple of CVEs but there are people saying you should only have to type two commands and if you’re uploading stuff, you’re on the wrong track.
[+] Searching specific hashes inside files - less false positives (limit 70)
That’s as far as Linpeas gets me. I’m probably missing something above that, but I’m definitely not able to get anything past that. Please help, point me to the correct John Hammond Video, or any kind of nudge would be greatly helpful.

ps - I’m also on the EU vpn. I worked on it all last weekend using the US vpn but was disconnected nearly every three minutes. Thanks to anybody that will help.

Finally got shell
strange password mechanism XD

thanks for @Karthik0x00 for the nudge

I’m not sure if privesc is needed for user flag part or not
because the file is permission denied !

could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

rooted. thanks for:
@ElleuchX1 and @JonnyGill

user: all the tips have already been prescribed here, but I can remember again, enumeration, enumeration and enumeration, pay close attention to all the details of the initial page, the rest is a consequence.

root: I certainly improved the enumeration that is key to solve this box. root is super easy.

Type your comment> @■■■■2000 said:

could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

Read the hints from users it’s obvious !

Initial foothold: enum, enum and enum (for special files) and look with clear eyes at content of site :slight_smile:

@SpaceMoehre said:

just rooted the machine without even touching one of the users. does he have a purpose?

Depends which user you didn’t touch.