Make sure we are connected to the host with a ping scan, then begin the nmap scan.
We see port 80 is open so we go to the 10.10.10.75 website.
We get a hello world empty page. So from here you can check the source code and/or do dirbuster to find hidden directories
By looking at the source code we see a new directory /nibbleblog/ so lets go there.
This brings us to a new blog type web-page. Lets use dirbuster to further enumerate this website.
Once satisfied with the dirbuster configurations lets run it
we instantly get hits , lets try the admin.php
Admin.php is a login page. Somehow we need to find the login credentials. These won’t have default credentials because this is someone personal blog
Lets load up this nibble on msfconsole
Now we really need the password and username for this module
We will use hydra plus seclists to try a bruteforce on the admin username. We were able to generate credentials through hydra hydra -l admin -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-15.txt -vV -f -t 2 10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error”
Now that I have the credentials I wanted to see if I can get the meterpreter shell but I don’t remember how to see if the payload is compatible
Okay so I changed the payload back to what it was and chanfed the targeturi to just /nibbleblog and then ran the exploit to get a shell
Attempted to do a suggester for post exploitation but no success here.
user flag inside the user nibbler
Because we can run the sudo -l command this lets us know that we can create files
we simply created the directories leading up to monitor.sh now lets create the file
Bash -i means bash interactive with the sudo command we can execute and it will give us an interactiuver shell as root because we sudo the command
We see that the script is now executable
Execute the command and it will timeout for a couple seconds but then type whoami or id to confirm you are root and locate the root.txt shell
in this box we learned how to find hidden directories with dirbuster, used searchsploit to find the vulnerability in nibble, also learned some linux privilege escalation and when its usable with sudo -l
eJPT | Sec+ | Cyber Security Enthusiast. I plan on obtaining the ecpptv2 and OSCP in 2021. Just documenting my experience of becoming a pentester along the way.
