- using nmap scan found two open ports 80,22
- found an instance of Nibbleblog [/nibbleblog]
- using gobuster discovered multiple directories with direcctory listing enabled
- found README file which included the version of Nibbleblog, which has an shell upload vulnerability
- went through the directory listing and found ‘admin’ username
- found out that IP blacklisting is enabled against bruteforcing login attempts
- uncovered ‘admin’ password is ‘nibbles’ through clues in directory listing
- created a php reverse shell and uploaded as an image in the admin page which is vulnerable
- started a netcat listener in my terminal, and used cURL to execute the reverse shell found in ‘/content’ listing directory
- found user.txt and personal.zip in home directory of ‘nibbler’user
- user.txt content: 79c03865431abf47b90ef24b9695e148
- downloaded LinEnum.sh on my local machine and started a Python HTTP server to download the file on target machine using wget
- once the script is pulled over I used chmod +x LinEnum.sh to make the target executable
- running the script we see the a misconfiguration vulnerability that allows us to run a .sh script with root without a password which is owned by our user ‘nibbler’ and its writeable
- by writing to monitor.sh with the following command, echo -e ‘#!/bin/bash\nbash’ | tee -a monitor.sh & running the script using sudo /home/nibbler/personal/stuff/monitor.sh, we gain access to the root user
- from here, I can get to the root.txt flag
- root.txt content: de5e5d6619862a8aa5b9b212314e0cdd