Once satisfied with the dirbuster configurations lets run it we instantly get hits , lets try the admin.php Admin.php is a login page. Somehow we need to find the login credentials. These won’t have default credentials because this is someone personal blog Lets load up this nibble on msfconsole Now we really need the password and username for this module We will use hydra plus seclists to try a bruteforce on the admin username. We were able to generate credentials through hydra hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-15.txt -vV -f -t 2 10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error” Now that I have the credentials I wanted to see if I can get the meterpreter shell but I don’t remember how to see if the payload is compatible Okay so I changed the payload back to what it was and chanfed the targeturi to just /nibbleblog and then ran the exploit to get a shell Attempted to do a suggester for post exploitation but no success here. user flag inside the user nibbler Because we can run the sudo -l command this lets us know that we can create files we simply created the directories leading up to monitor.sh now lets create the file Bash -i means bash interactive with the sudo command we can execute and it will give us an interactiuver shell as root because we sudo the command We see that the script is now executable Execute the command and it will timeout for a couple seconds but then type whoami or id to confirm you are root and locate the root.txt shell in this box we learned how to find hidden directories with dirbuster, used searchsploit to find the vulnerability in nibble, also learned some linux privilege escalation and when its usable with sudo -l