The foothold for this box was just kinda stupid. Maybe its just me and my general distaste for CTFy machines but after I got the initial foothold I was pretty disappointed. the “first part” is fine. However the way to get the "second part " for the initial exploit seemed more of a way to slow down the progress of rooting the box rather than trying to give an example of or teach anyone a concept. Maybe I’m being too harsh about it but It just seemed kinda uninspired on the creators part.
That all being said I actually did like this box after the foothold, user gave you a potential dead end and made you look somewhere else, which I personally like to see. Root took me 2 minutes, but its an easy box so I have no complaints. If it were not for the foothold.
this box would be great for someone who was just learning, because of the general enum concepts.
tl;dr
foothold bad, rest of box good
there are plenty of hints on the forum, but if you need additional help, send me a pm with what you tried so far and I will do my best to help.
i think the initial foothold was quite good. there is a section of the OSCP that teaches you those exact steps and i enjoyed that it was finally in a HTB machine to do the same.
the next user part took me the longest to find but once i found it the rest was easy.
Knowing this, it makes a ton more sense why this was the way in, and I was definitely wrong when I said the foothold was uninspired. I still don’t like the foothold by any means, but I now understand why its there.
Is anyone haveing issues with the decrypted hash for the user? It does seem to be working when trying to s**o as that user. the hash is the same and it decrypts to the same thing every time, however its comming back with sorry try again. I have tried with user in lower case letters as well as capital first letter but noithing is working. this is strange cus earlier tonight i was able to use the same user and password to snag the user flag of the box. Did someone change something arround? please message me if you know what im experiencing!!
Is anyone haveing issues with the decrypted hash for the user? It does seem to be working when trying to s**o as that user. the hash is the same and it decrypts to the same thing every time, however its comming back with sorry try again.
I have tried with user in lower case letters as well as capital first letter but noithing is working. this is strange cus earlier tonight i was able to use the same user and password to snag the user flag of the box. Did someone change something arround? please message me if you know what im experiencing!!
So, just to check, you are in a user account for **** ?
If so, can you confirm what you mean by s**o as that user - does that mean just run s**o or add a switch to the username you are trying to use?
Guys i completed the box but only with metasploit, in my first attempt i got a shell with nc but don’t know why when i use python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ (python --version give me python 3.7.5) it won’t give me a proprer shell but on metaspoit it works. Why i am asking that is because when i use command like su … it don’t ask me password so i can’t log with another user (on nc) . But no problem on metasploit , i just want to be able to do it without using metasploit.
Is anyone able to get a working shell? When I use the shell command in metepreter it drops me in but after that no commands give me a response, which is strange because a week ago it was working fine
ok so I rooted it but would like to discuss the exploit for root if someone could pm and explain why this works in the manner it does. I would greatly appreciate it.
Hi THERE! I am totally new here. I have passwd and username for blunder. i trying the exploit but it return me with .htacess must be cleaned up. So i even tried resetting the machine but the response is the same. Even tried other payloads
I am sorry if i broke any rules !!! FIRSTDAY !!! Thank you.
ok so I rooted it but would like to discuss the exploit for root if someone could pm and explain why this works in the manner it does. I would greatly appreciate it.
Not sure I can explain it but I can point you to the blog posts and articles which were published around the time it was made public. That might help you.
[!] This exploit may require manual cleanup of ‘.htaccess’ on the target
[*] Exploit completed, but no session was created.
Am I using the wrong payload or is it a issue I havent thought of yet?
Exactly the same problem. I tried all payloads, but nothing helped
SOLUTION FOR .htaccess error in Blunder!
Hello there ! This is my first box so i might be able to explain things well so just bear with me. i was having the same issue after a millennia i found the solution to it . It’s quite simple all you need to do is change the set the interface of Metasploit as tun0 as we are using HTB VPN and also use IP of tun0 as LHOST IP for the exploit to run correctly.
To change the interface of Metasploit:
setg interfaceName
Hope i was able to help and didnt break anyrules ! Its still my DAY 2 here.
ok so I rooted it but would like to discuss the exploit for root if someone could pm and explain why this works in the manner it does. I would greatly appreciate it.
Not sure I can explain it but I can point you to the blog posts and articles which were published around the time it was made public. That might help you.
■■■■ yeah that would help. I came across a detailed on but wouldn’t you know it. Its in Chinese.