masscan -p 1-65535 10.10.10.30 -e tun0 --rate=1000
Only port 80 open That is by default the HTTP port so I know Apache is runnning
dirb http://10.10.10.191/ -X .txt
with normal and php and html gave nothing but the .txt -X .txt gave a todo file which revealed a username fergus
Found admin page which gave a login prompt
"Powered by BLUDIT" seeing how to exploit that
Found a blog listed below
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
They apparently have an anti brute force mechanism which can be bypassed by adding a header that changes the client ip with every attempt
Seemed needlessly tiresome to blindly bruteforce the login although that was working it would theoretically take forever
Common passwords and username combos didnt work
Using cewl to get a custom worlist this can be used to bruteforce with the username we found
Using the wordlist with fergus as the username RolandDeschain
The code I used is at
https://github.com/gauravsachdev/Ctf_Or_LearningLabs/blob/master/HacktheBox/Blunder/bruteforcepass.py
I know there is a path traversal exploit in bludit as well from a google search so will try that in an image upload
There is a metasploit module for this bludit exploit so I used that one
The users.txt(flag) was not accessible found the users.php file was found in bludit but an online search found that salt was added at the end
5dde2887e7aca bfcc887f62e36ea019e3295aafb8a3885966e265
I still wasn’t being able to decode
More enumeration revealed a newer version of bludit with a users.php without a salt
This revealed a SHA hash that was crackable
This revealed the user flag
Now to escalate priveleges
sudo -l
revealed he had bash priveleges
sudo -u#-1 /bin/bash
gave root access
Copy Link