Blunder machine is a vulnerable machine with Linux operating system which is among the retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to identify the target machine

Classic Scan

Full Port Scan

21/tcp closed ftp, 80/tcp open http Apache httpd 2.4.41 (Ubuntu) ports detected. Since the ftp port rejects connections, we continue the optimization on port 80.
On port 80 we continue through the browser to provide enumueration

We performed enumeration on the website, looked at the source code and did not find any information.
We performed directory and file scanning with Gobuster.

/0, /about, /admin, /cgi-bin/, /LICENSE, /robots.txt, /todo.txt directories were detected.




In the todo.txt file we get that the CMS has not been updated, it may have given us a hint here. We also received information that there is a fergus user, let’s check the CMS version immediately
We look at the source code in /admin

We saw that Bludit CMS has version 3.9.2.

We tried default passwords here but could not provide successful login.
We searched for vulnerabilities

We have understood that this vulnerability is vulnerable to brute force user-directed execution.
Now let’s perform brute force on this web
I will first prepare a wordlist with Cewl before performing brute force

We have created our wordlist, let’s use the python code available at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ to exploit it

User fergus’s RolandDeschain password has been detected.
Let’s try to log in

We were able to log in
Here we will continue to get Shell using msfconsole.

Here we entered the prompts, then we got Shell, we logged in to the machine on the www-data user, we could not access the user flage because of low authorization.

Here we have lede the password hahsii of user hugo let’s try to crack it with crackstation

User Hugo’s password Password120 has been detected

Let’s try to change the user

We were able to get our user flag
Then let’s try to do privilege escalation

This way we got our root flag