Official Blunder Discussion

1121315171821

Comments

  • I was looking at this box again after rooting when it came out . Was anyone able to get RCE on this box without using MSF? I have been looking at the .py code and have got RCE with certain commands but not others that would provide a stable shell.

    limelight

  • *Spoiler Removed*
  • A quick tip for root : don't waste time with second user (s...n), first user is enough to elevate privileges.

  • Anyone able to DM me, I am trying the hard mode and can get 1 thing in the right place but the second thing for access is denied, but I cant see why. Have TCP dump the easy way to user and seen what is going on but, I can't repeat manually.

  • Rooted! Still didn't get my ht file in place for a manual foothold, will have to wait for the retirement.

  • edited August 2020

    Rooted this box a few days ago! Though it was quite a fun one. I though that some parts were a bit CTF-y, but if you have some experience with HTB boxes, nothing should be too surprising.

    The thread already contains many good hints, I can basically only reiterate what was already said:

    Foothold

    • Be sure to thoroughly enumerate the box and keep track of all infos you find
    • The usual password lists won't get you far. Make your own one. There's a cool tool that can do that for you.
    • Look up publicly known exploits - don't use M...sp...t, from what I gather, the manual way is actually easier and it's quite well documented

    User

    • Once you're on the box, enumerate again
    • Look up what other services are installed on the box
    • Again, usual password lists won't get you far, but there's a station online that can help you crack what you find in seconds

    Root

    • Don't think too far/too complicated. Don't fall into rabbit holes.
    • Check out what you are allowed to do. That should be one of your standard steps anyway.
    • You might notice something strange... search for that online and you're basicaly there.

    If anybody needs some help, feel free to drop me a PM. Happy to help, but I'm not online a lot here at the moment :)

  • Thank you for this box, taught me a lot of patience (especially initial foothold - definitely took me the longest and imo was the hardest part of this box).
    This topic contains all tips needed to complete the box, here is a couple thoughts from me:
    initial: some fuzzing, CVE, a custom wordlist, you got creds. I almost guessed the password but had the wrong username at first.
    user: check all versions
    root: super basic enum, as stated earlier - google what looks suspicious

  • Rooted. Nice box, everything from beginning to end is fairly easy just overthinking it might make it take longer. PM for nudges.

  • Rooted. Fun and easy box. Feel free to hit me up for nudges.

  • I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have 'user' or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can't seem to figure that out. Any help for someone new to this?

    mokrunka

  • @mokrunka said:

    I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have 'user' or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can't seem to figure that out. Any help for someone new to this?

    If you have a shell on the box, you are probably in a "foothold" - enumerate. Look into the technology and find where it is likely to store loot. Look around and exactly where the real loot exists.

    Find the loot, use it.

    Then enumerate some more. Find a vuln published at the end of last year and privesc

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited August 2020

    Type your comment> @TazWake said:

    @mokrunka said:

    I was getting along pretty well, got the foothold, wrote a little python in the process. Could I get a hint getting user/root (not sure if I have 'user' or foothold right now, but I do have something). Tried a couple of different routes to RCE, but can't seem to figure that out. Any help for someone new to this?

    If you have a shell on the box, you are probably in a "foothold" - enumerate. Look into the technology and find where it is likely to store loot. Look around and exactly where the real loot exists.

    Find the loot, use it.

    Then enumerate some more. Find a vuln published at the end of last year and privesc

    Thanks @TazWake. I have tried both the 'manual' way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the 'easy' way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of '.*******' on the target.

    mokrunka

  • @mokrunka said:

    Thanks @TazWake. I have tried both the 'manual' way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the 'easy' way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of '.********' on the target.

    You should be able to get MSF to work - possibly double check the options.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • edited August 2020

    Type your comment> @TazWake said:

    @mokrunka said:

    Thanks @TazWake. I have tried both the 'manual' way of uploading .h******* and a p** shell, and was able to access the file at the url, but was not able to get a reverse shell when listening on nc. I then tried the 'easy' way using m*********, which basically does the same thing I was doing manually from looking at the .rb code, but I get an error: This exploit may require manual cleanup of '.********' on the target.

    You should be able to get MSF to work - possibly double check the options.

    Yeah, beating my head against a wall here. I've tried several times, and I really think I'm putting in the right options and target/host info. Using a r******.t** shell, I'm still getting an error of 'This exploit may require manual cleanup of '.********' on the target. Maybe that file has been inadvertently modified somehow.

    mokrunka

  • Type your comment> @Karthik0x00 said:

    I have seen that many people here are using MSF module to exploit the vulnerability. You can choose that as your wish.
    But many are not configuring LHOST properly. Check options before exploit.

    I still had to adjust the firewall to allow access to port 4444.

  • @mokrunka said:

    Yeah, beating my head against a wall here.

    Understandable. It is important to remember exploits are never guaranteed at the best of times.

    It is not unusual to have to try an MSF exploit several times before it works. But it shouldn't be hundreds if it is ever going to work.

    I've tried several times, and I really think I'm putting in the right options and target/host info.

    Ok, but really there are only a few possible scenarios here:

    1) You are using the wrong exploit
    2) You have used the wrong options
    3) Something on the box is broken
    4) Your system is preventing the reverse connection (Firewall or other security tool/privs)

    If you are confident it is number 3, reset the box. If a reset doesn't fix the problem it is one of the others.

    Using a r******.t** shell,

    I hope you are using a payload with a different name to that. Something along the lines of
    /***********/r******_ for example.

    I'm still getting an error of 'This exploit may require manual cleanup of '.********' on the target. Maybe that file has been inadvertently modified somehow.

    So, the easiest thing here is to read through the MSF Ruby file for the exploit to see what it does and what that message means. It may be irrelevant to the problem if it is generated under normal circumstances and if you haven't got the exploit to work, you don't know what "normal" looks like here.

    If you read through the source code you can get an idea for what it is trying to do. It looks like the problem might be that it can't write the file it wants to write, which is why it cant automatically delete it.

    That implies the options aren't correct.

    tl;dr - reset the box, if that doesn't work your options are wrong.

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Type your comment> @TazWake said:

    @mokrunka said:

    Yeah, beating my head against a wall here.

    Understandable. It is important to remember exploits are never guaranteed at the best of times.

    It is not unusual to have to try an MSF exploit several times before it works. But it shouldn't be hundreds if it is ever going to work.

    I've tried several times, and I really think I'm putting in the right options and target/host info.

    Ok, but really there are only a few possible scenarios here:

    1) You are using the wrong exploit
    2) You have used the wrong options
    3) Something on the box is broken
    4) Your system is preventing the reverse connection (Firewall or other security tool/privs)

    If you are confident it is number 3, reset the box. If a reset doesn't fix the problem it is one of the others.

    Using a r******.t** shell,

    I hope you are using a payload with a different name to that. Something along the lines of
    /***********/r******_ for example.

    That was my typo - yes, the payload I've been using is I think the one you're referring to there (/***********/r******_). I'll give it a shot again today and see how I get on. Thanks again.

    mokrunka

  • Anybody else having problems with the US VPN? I've gotten a shell, but I keep losing connection before I can really get anything else done. This has been happening from three different internet connections.

  • Hi!
    Rooted this machine.
    I would rename this machine from blunder to massive-overthink.
    Really easy boys, enumeration is the trick, foothold is the "hardest" part, it can be very tiring if you are new to some tools.
    Once you get in, search in files, I lost alot of time in rabbit holes, dont stress yourself.
    Root took 2 commands. Check your permissions.

  • Root was surprisingly easier than I though, literally a one liner. People aren't joking or exaggerating. Googled 2 things in sequence, and got the answer.

    User was extremely easy, enumeration like everyone has been saying.

    Initial Foothold is a bit confusing as to what you should do. But you have to go back to your caveman mentality and just force the door you might find.
    :smile:

  • ROOTED!

    There's quite a bit of info in the comments. So my only hints are:

    Foothold - read the comments
    User - continue reading the comments
    Root - read the comments some more

    :)

    c0nsid3rate

  • Got both flags but when i submit them i get the error "incorrect hash for blunder" . I tried to reset the machine but the limit is reached for today. Is my first box... Am i doing something wrong?

  • @slashviper said:

    Got both flags but when i submit them i get the error "incorrect hash for blunder" . I tried to reset the machine but the limit is reached for today. Is my first box... Am i doing something wrong?

    If you read through a few of the threads here you will see that this is an occasional problem.

    HTB uses dynamic hashes which means they change every time the box reboots or is on a different VPN.

    However, it also means that sometimes the hashes don't load properly and it creates issues.

    The main suggestions seem to be:

    1) reboot, repeat the pwnage, get the new flags, try them
    2) report it to HTB via a JIRA ticket and see if they can fix the issue

    Note: I am not going to be available much in September.

    TazWake

    Note: https://www.nohello.com/

    Happy to help people but PLEASE explain your problem in as much detail as possible! If you say vague things like "It's not working", I cant help. This isn't Twitter so my DMs are always open.

  • Rooted. PM for nudges.

  • just rooted the machine without even touching one of the users. does he have a purpose?

  • Dire need of help on root. I thought the user was pretty easy....everybody saying root is the easy part but I can't for the life of me find it. I've got a shell with f***** user. Linpeas doesn't finish the scan, so looking through what it gives me, I don't see anything in particular. I've found a couple of CVEs but there are people saying you should only have to type two commands and if you're uploading stuff, you're on the wrong track.
    [+] Searching specific hashes inside files - less false positives (limit 70)
    That's as far as Linpeas gets me. I'm probably missing something above that, but I'm definitely not able to get anything past that. Please help, point me to the correct John Hammond Video, or any kind of nudge would be greatly helpful.

    ps - I'm also on the EU vpn. I worked on it all last weekend using the US vpn but was disconnected nearly every three minutes. Thanks to anybody that will help.

  • Finally got shell
    strange password mechanism XD

    thanks for @Karthik0x00 for the nudge

    I'm not sure if privesc is needed for user flag part or not
    because the file is permission denied !

  • could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

  • rooted. thanks for:
    @ElleuchX1 and @JonnyGill

    user: all the tips have already been prescribed here, but I can remember again, enumeration, enumeration and enumeration, pay close attention to all the details of the initial page, the rest is a consequence.

    root: I certainly improved the enumeration that is key to solve this box. root is super easy.

    Hack The Box

  • Type your comment> @lmao2000 said:

    could anyone give me an explanation on the fuzzing and eneumeration required for the login credentials? still pretty beginner

    Read the hints from users it's obvious !

    Initial foothold: enum, enum and enum (for special files) and look with clear eyes at content of site :)

Sign In to comment.