- Directory enumeration revels hidden information
- Login page credentials are simple
- RCE can be done from plugins
- Privilege execution can be achieved by editing a monitor script
Run nmap scan to find for open ports.
View source gives a clue.
Run a gobuster scan to find for hidden directories.
Main site does not bring in much directories, tried it with the nibbleblog sub directory.
Readme indicates the version of the interface.
After sometime bruteforcing the login page , I tried the name of the box and access is gained.
Found an exploit without the use of metasploit
Head to the plugins My image page and upload a php reverse shell.
Start a nc listener and activate the reverse shell script.
User access gained.
User flag found.
Check for sudo permisions.
Let’s echo a shell in monitor.sh and root access is gained.
Root flag is found
Leave a Reply