Blunder machine is a vulnerable machine with Linux operating system which is among the retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to identify the target machine
Classic Scan
Full Port Scan
21/tcp closed ftp, 80/tcp open http Apache httpd 2.4.41 (Ubuntu) ports detected. Since the ftp port rejects connections, we continue the optimization on port 80.
On port 80 we continue through the browser to provide enumueration
We performed enumeration on the website, looked at the source code and did not find any information.
We performed directory and file scanning with Gobuster.
/0, /about, /admin, /cgi-bin/, /LICENSE, /robots.txt, /todo.txt directories were detected.
/admin
/LICENSE
/robots.txt,
/todo.txt
In the todo.txt file we get that the CMS has not been updated, it may have given us a hint here. We also received information that there is a fergus user, let’s check the CMS version immediately
We look at the source code in /admin
We saw that Bludit CMS has version 3.9.2.
We tried default passwords here but could not provide successful login.
We searched for vulnerabilities
We have understood that this vulnerability is vulnerable to brute force user-directed execution.
Now let’s perform brute force on this web
I will first prepare a wordlist with Cewl before performing brute force
We have created our wordlist, let’s use the python code available at https://rastating.github.io/bludit-brute-force-mitigation-bypass/ to exploit it
User fergus’s RolandDeschain password has been detected.
Let’s try to log in
We were able to log in
Here we will continue to get Shell using msfconsole.
Here we entered the prompts, then we got Shell, we logged in to the machine on the www-data user, we could not access the user flage because of low authorization.
Here we have lede the password hahsii of user hugo let’s try to crack it with crackstation
User Hugo’s password Password120 has been detected
Let’s try to change the user
We were able to get our user flag
Then let’s try to do privilege escalation
This way we got our root flag
OSCP PREPROTİONS – HTB Blunder