HackTheBox | Blurry

In this walkthrough, I demonstrate how I obtained complete ownership of Blurry on HackTheBox
HackTheBox | Blurry

Foothold Hint

  • Blurry has two ports open tcp/22 and tcp/80. You likely know that SSH is almost never the first way in, so you'll need to lean on your web enumeration skills here
  • The first web server you discover has an open login design, waltz right in and take a look around, did you find the software version and the CVE?
  • If you've found the CVE but your exploit doesn't work, hunt around for more information
    • Web server technology allows a single IP address to listen for other names
      • What is is this technology and how can you find the other server names?
    • Be sure to explore the new server name thoroughly for some helpful information from the admin
      • What do you need to add to the exploit to have it processed by the server?

Privilege Escalation Hint

  • I found two privilege escalation paths — one intentional, and one which I believe is unintentional
  • Have a solid post-exploit enumeration strategy. Look at processes, services, files, permissions
    • You should find an interesting program you can run (with some constraints)
      • What kind of files does this program take as input? Analyze these files to figure out how you can plant malicious data.
    • For an easy win, and alternate path, do you notice anything special about the directory where this program is stored?

Nmap Results

# Nmap 7.94SVN scan initiated Wed Jun 12 16:48:20 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.129.232.198
Nmap scan report for 10.129.232.198
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 3e:21:d5:dc:2e:61:eb:8f:a6:3b:24:2a:b7:1c:05:d3 (RSA)
|   256 39:11:42:3f:0c:25:00:08:d7:2f:1b:51:e0:43:9d:85 (ECDSA)
|_  256 b0:6f:a0:0a:9e:df:b1:7a:49:78:86:b2:35:40:ec:95 (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-title: Did not follow redirect to http://app.blurry.htb/
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jun 12 16:48:46 2024 -- 1 IP address (1 host up) scanned in 26.15 seconds

There is a redirect to app.blurry.htb in the tcp/80 output, so let's go ahead and get that added to our /etc/hosts file. Let's also add blurry.htb for good measure.

echo -e '10.129.232.198\tblurry.htb app.blurry.htb' | sudo tee -a /etc/hosts

This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.

Read the full story

Sign up now to read the full story and get access to all posts for Pending Publication tier only.

Subscribe
Already have an account? Sign in
0xBEN
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.