->Blunder




User part :



-> Run nmap scan





-> Port 21 is closed and 80 is open, So let's check te website, nothing much in the webpage





-> let's check robots.txt , nothing here





-> So i run gobuster to bruteforce the directories and files and i got 1 intresting file 'todo.txt'





-> While reading the paragraph , you can understand 'fergus' is the username





-> Then i went to 'admin' directory and found bludit CMS is using, while checking source code i found the version number also





-> Then i used searchsploit to search exploit and i found Authontication Bruteforce vulnerability





-> Then i downloaded the exploit , then i converted the code using 'dos2unix'.and i need to install some requirements.
I converted the file with dos2unix is ,beacouse sometimes iam getting errors





-> Then i tried some coomon passwords,but they are wrong. so i used 'cewl' command to download custom wordlist of
passwords from the website





-> I tried with custom wordlist and got the password and now i can access the dashboard





-> while iam searching the issues of bludit in github, i found a RCE in version 3.9.2





-> Then i search for exploit and got 1 exploit





-> The exploit is Authenticated RCE i gave the credentials and i got reverse shell





-> I tried to get user.txt but permission is denied, so i look into the directories , i found an intresting part of bludit.
In the folder i found 2 bludit versions directories ,
i know we exploitd with version '3.9.2' .So i looked into version 3.10





-> I got some intresting part in users.php which contains hash of password





-> I cracked the password with the help of crackstation.net





-> Then i tried the password with username hugo and the password is correct





Root Part :



-> I searched for what this user can do with root privileges and i got /bin/bash can execute with root privilege





-> I found the version of sudo is older and exploitable





-> This is the full exploit in exploitdb





-> I got root shell using the command and got 'root.txt'