NIBBLES

Nibbles box is related to wordpress vulns. We have 10.129.96.84 ip address. Lets start

nmap -sV -sC --open -oA nibbles_nmap 10.129.96.84

Lets go to port 80 and we see that just hello world but in source code there is mentioned /nibbleblog/ directory.

10.129.96.84/nibbleblog/ is a basic website, lets get more information

Fuzzing

dirsearch -u 10.129.96.84/nibbleblog/ --wordlist /usr/share/dirb/wordlists/common.txt -t 10

In /nibbleblog/admin we have directory listing and /nibbleblog/admin.php is a login page

I tried common credentials after that admin:nibbles work.

Note: Since my connection was disconnected from here , I reconnect and my IP address changed. In meterpreter there is a backdoor related to nibbleblog lets try.

Upgrading meterpreter shell.

shell
python -c 'import pty; pty.spawn("/bin/bash")'

When we browse home directory, we see that the user.txt file is here. There is also another file called personal.zip. When we unzip this file, we get another file called monitor.sh in the stuff subdirectory. This file allows us to become root when we run it, but it is missing a few lines at the beginning.

At the beginning of the monitor.sh file we will add this missing code part.

#!/bin/sh
bash

sed -i '1i #!/bin/sh\nbash' monitor.sh

This script adds the line #!/bin/sh to the beginning of the file, followed by bash on a new line. I run it and become root

Shell upgrade explanation:

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/