User part :
-> Run nmap scan
-> Port 21 is closed and 80 is open, So let's check te website, nothing much in the webpage
-> let's check robots.txt , nothing here
-> So i run gobuster to bruteforce the directories and files and i got 1 intresting file 'todo.txt'
-> While reading the paragraph , you can understand 'fergus' is the username
-> Then i went to 'admin' directory and found bludit CMS is using, while checking source code i found the version number also
-> Then i used searchsploit to search exploit and i found Authontication Bruteforce vulnerability
-> Then i downloaded the exploit , then i converted the code using 'dos2unix'.and i need to install some requirements.
I converted the file with dos2unix is ,beacouse sometimes iam getting errors
-> Then i tried some coomon passwords,but they are wrong. so i used 'cewl' command to download custom wordlist of
passwords from the website
-> I tried with custom wordlist and got the password and now i can access the dashboard
-> while iam searching the issues of bludit in github, i found a RCE in version 3.9.2
-> Then i search for exploit and got 1 exploit
-> The exploit is Authenticated RCE i gave the credentials and i got reverse shell
-> I tried to get user.txt but permission is denied, so i look into the directories , i found an intresting part of bludit.
In the folder i found 2 bludit versions directories ,
i know we exploitd with version '3.9.2' .So i looked into version 3.10
-> I got some intresting part in users.php which contains hash of password
-> I cracked the password with the help of crackstation.net
-> Then i tried the password with username hugo and the password is correct
Root Part :
-> I searched for what this user can do with root privileges and i got /bin/bash can execute with root privilege
-> I found the version of sudo is older and exploitable
-> This is the full exploit in exploitdb
-> I got root shell using the command and got 'root.txt'