# Nibbles HTB

* We use nmap to scan using `nmap -p- -A -T4 -Pn 10.10.10.75`![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0d376c384af7d5a7269886a170e71e8857af84b5%2F1c482b2e9c037c752482fee99822ed7b.png?alt=media)
* We found an Apache server running:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-5794f5b53374c1f8455fefeedf4ca8bdef776965%2F3d9d8e8357fdca6d5714acf5b6c84126.png?alt=media)
* Using dirbuster found this:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-a193178ecb37197be0910b76219a89686cff7793%2F23e297613a7f5f5cb7684ff06e09bac1.png?alt=media)indicates poor hygiene
* Upon inspect element found we found a hidden comment: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-4dd9b35ee09c46fa8f5dc4a9b9c6a1425d6e64a7%2Fb0f43be05c67844a7114c0123844007e.png?alt=media)
* Leads to a nibbleblog website where we find the following using dirbuster:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-0530727634c5db0db6136003826904d1986fac13%2Fe1b068c7df278378ff2efe21e2a57dbb.png?alt=media)
* Just attempting *username*:admin *password*:nibbles gets us logged in
* We find that the version used is 4.0.3:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-616dfb8090c648c7add1470f8cda99758b690f8b%2Fefa8b1eb248900bfc00ba70366f540e2.png?alt=media) Which can be exploited to get remote code execution.
* using metasploit we can use the exploit `exploit(multi/http/nibbleblog_file_upload)` to get access to the machine:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-ef68804dbc1e1b82b0871ee836bb0622e52f4367%2Ff637571f11ca72e8f3238c5ede425c1d.png?alt=media)
* **Note**: The `history` command lets us view the previous commands executed by the user.
* `sudo -l` lets us know the allowed commands for a user:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-d3ecca8ca1fc2ef33820b16615633348525974df%2F6669e776df2c1381e552acbc39a15ad9.png?alt=media) We notice that monitor.sh can be run as sudo so we create a monitor.sh as following:![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-22a3bec8552319f03aeba17c4d5290e14c1e0b6b%2Fa399d5a858f70ef26dc062d5afcc2772.png?alt=media) This creates a bash interactive shell with root privileges like so: ![](https://2519178678-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FuE2sPgM0QY6KfiTIG8Vs%2Fuploads%2Fgit-blob-adfe35173d4d4d6cd755526f54b615c6fce25bbd%2F4d89443847bae20f29f8ca0433169729.png?alt=media)
* We have successfully pwned the machine!