Nibbles

Leave a comment

Nibbles is a nice step up in complexity from the boxes that I have previously done. It teaches some cool exploitation and enumeration techniques. As usual start with an nmap scan.

Okay looks like a web server, lets run a gobuster and nikto scan while we visit the site and poke around.
Notice the directory, this is the second scan after figuring out the REAL site
Looks like a pretty basic site, lets check the page source
Well that looks interesting, lets check out this directory
Lets poke around and see if we can find anything interesting
Okay we have some good info on a database, a version and a version name
NICE! A login page, this can be useful
Not too sure if we can do anything here but I found it interesting
Tried to modify things here but nothing stuck

Lets do some Googling and see if we can find something… The “hard” part is guessing the password. I made a pretty simple list with crunch by using the first page and the username admin.

https://www.rapid7.com/db/modules/exploit/multi/http/nibbleblog_file_upload/

Looking at the options we have everything we need
Ran into this issue and was not able get around it. The only way I was able to fix it was by restarting the box and adding a line of code that I found from Googling the issue 😉
Awesome, with that fixed it looks like we have a Meterpreter shell
flag #1
Okay lets log into the site as an admin and see what we can do
Hmmm looks like we may get a reverse shell? The problem I had was not being able to execute it
Lets see what we can execute as the user without a password

Here I went out and looked for some files that I could use to enumerate. I then just copied the scripts and renamed them to monitor.sh

First you should create the directories and give the file run permissions
lets run this sweet linux enumeration script
With that scan complete lets do some bash magic and see if we can get a root shell
NICE! Looks like we got root
Flag 2

Leave a comment