Port Scanning and General Enumeration (Nmap, Gobuster)
Initial scan shows ports 22 (SSH) and 80 (HTTP)
The website just says hello world but the source has something interesting
Powered by Nibbleblog
Let’s see if we can uncover anything with gobuster
Bunch of interesting stuff.
README has the version
admin.php is the login page
And there’s a
/content/ directory with a
Things we know:
- It’s running Nibbleblog
- The version is 4.0.3
- There’s an admin user
- There’s a login page
Access (Burpsuite, php-reverse-shell, CVE-2015-6967, cewl)
Let’s start by targeting the admin user. As far as I could tell, Nibbleblog doesn’t have default credentials so we can try to bruteforce it.
First, I like to create a wordlist based on the website. For this, we’ll use cewl
cewl -url http://10.10.10.75 --lowercase -w wordlist
Capture the request in Burpsuite and send it to intruder
Load our newly created wordlist and fire it off.
We have the password and we can now access the dashboard.
Nibbleblog 4.0.3 exploits lead me to CVE-2015-6967.
We can upload a php-reverse-shell using the
My Image plugin, and access it using this endpoint:
Let’s do that. Upload your image, start your listener
nc -lvnp 4444 and access the endpoint.
My favorite linux enumeration script is linpeas by far.
After getting it on the box using
wget and running, we get an interesting finding.
We can run
monitor.sh as root without a password. Let’s overwrite
echo '#!/bin/bash' > monitor.sh
echo '/bin/bash' >> monitor.sh