- We use nmap to scan using
nmap -p- -A -T4 -Pn 10.10.10.75
- We found an Apache server running:
- Using dirbuster found this:
indicates poor hygiene - Upon inspect element found we found a hidden comment:
- Leads to a nibbleblog website where we find the following using dirbuster:
- Just attempting username:admin password:nibbles gets us logged in
- We find that the version used is 4.0.3:
Which can be exploited to get remote code execution. - using metasploit we can use the exploit
exploit(multi/http/nibbleblog_file_upload)to get access to the machine:
- Note: The
historycommand lets us view the previous commands executed by the user. sudo -llets us know the allowed commands for a user:
We notice that monitor.sh can be run as sudo so we create a monitor.sh as following:
This creates a bash interactive shell with root privileges like so:
- We have successfully pwned the machine!
