Persecure : my learning archive

, ,

HTB : Nibbles

https://app.hackthebox.com/machines/Nibbles

Review

  • Directory enumeration revels hidden information
  • Login page credentials are simple
  • RCE can be done from plugins
  • Privilege execution can be achieved by editing a monitor script

Enumeration

Run nmap scan to find for open ports.

Port 80

View source gives a clue.

Run a gobuster scan to find for hidden directories.

Main site does not bring in much directories, tried it with the nibbleblog sub directory.

/contents/

/content/private/users.xml

Readme indicates the version of the interface.

After sometime bruteforcing the login page , I tried the name of the box and access is gained.

Foothold

Found an exploit without the use of metasploit

Head to the plugins My image page and upload a php reverse shell.

Start a nc listener and activate the reverse shell script.

User access gained.

User flag found.

Privilege escalation

Check for sudo permisions.

Looks like some kind of server health monitoring script.

Let’s echo a shell in monitor.sh and root access is gained.

Root flag is found

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Comments (

0

)

%d bloggers like this: