Persecure : my learning archive

HTB : Nibbles

https://app.hackthebox.com/machines/Nibbles

Review

  • Directory enumeration revels hidden information
  • Login page credentials are simple
  • RCE can be done from plugins
  • Privilege execution can be achieved by editing a monitor script

Enumeration

Run nmap scan to find for open ports.

Port 80

View source gives a clue.

Run a gobuster scan to find for hidden directories.

Main site does not bring in much directories, tried it with the nibbleblog sub directory.

/contents/

/content/private/users.xml

Readme indicates the version of the interface.

After sometime bruteforcing the login page , I tried the name of the box and access is gained.

Foothold

Found an exploit without the use of metasploit

Head to the plugins My image page and upload a php reverse shell.

Start a nc listener and activate the reverse shell script.

User access gained.

User flag found.

Privilege escalation

Check for sudo permisions.

Looks like some kind of server health monitoring script.

Let’s echo a shell in monitor.sh and root access is gained.

Root flag is found

Create a website or blog at WordPress.com