Nibbles
Port Scanning and General Enumeration (Nmap, Gobuster)
- Reading/Resources
Initial scan shows ports 22 (SSH) and 80 (HTTP)
The website just says hello world but the source has something interesting
Powered by Nibbleblog
Let’s see if we can uncover anything with gobuster
Bunch of interesting stuff.
README has the version
admin.php is the login page
And there’s a /content/ directory with a users.xml file
Things we know:
- It’s running Nibbleblog
- The version is 4.0.3
- There’s an admin user
- There’s a login page
Access (Burpsuite, php-reverse-shell, CVE-2015-6967, cewl)
- Reading/Resources
Let’s start by targeting the admin user. As far as I could tell, Nibbleblog doesn’t have default credentials so we can try to bruteforce it.
First, I like to create a wordlist based on the website. For this, we’ll use cewl
cewl -url http://10.10.10.75 --lowercase -w wordlist
Capture the request in Burpsuite and send it to intruder
Load our newly created wordlist and fire it off.
We have the password and we can now access the dashboard.
Googling Nibbleblog 4.0.3 exploits lead me to CVE-2015-6967.
We can upload a php-reverse-shell using the My Image plugin, and access it using this endpoint:
/nibbleblog/content/private/plugins/my_image/image.php
Let’s do that. Upload your image, start your listener nc -lvnp 4444 and access the endpoint.
Privesc (linpeas)
- Reading/Resources
My favorite linux enumeration script is linpeas by far.
After getting it on the box using wget and running, we get an interesting finding.
We can run monitor.sh as root without a password. Let’s overwrite monitor.sh
echo '#!/bin/bash' > monitor.sh
echo '/bin/bash' >> monitor.sh
sudo ./monitor.sh
