We’ve got SSH and Apache ports open. Our chance for Apache is much more than SSH. Let’s try that route down.
We start with searching exploits for Apache 2.4 (never try searching too specific like 2.4.18 as some search results come wit ha range number, so the specific number falls in line with them and won’t be shown up!
Nothing too much interesting in here! Let’s stroll around the web and see what that returns.
Apparently, there is a directory to bust!
Let’s search for nibble exploits
File upload exploit with remote code execution! Could not be better! Let’s start Metasploit
Searching for nibble in msconsole returns payload. let’s get more info
Even authenticated remote code execution!
Time to find a place to upload a file. The frontend under nibbleblog does not have any juicy place to start the exploit with, therefore we run DirBuster with a medium wordlist to uncover underlying directories.
admin directory seems interesting
It should be behind this login
We can start with some googling for default credentials for the CMS portal or run our brute force tools, but always go with the first ones because many portals have control for the number of wrong tries!
In this case, the user was admin and the pass was simply the blog name: nibbleblog
Let’s get back to our msconsole
We set out payload parameters according to options (Do not forget to have your Local HOST (LHOST) IP set right. It should be the IP address of your OpenVPN interface in your Kali Linux
Now run the exploit
The reverse shell is returned
Open a shell
The user is nibbler, not root
Run sudo -l to list the allowed (and forbidden) commands for the invoking user. Executing shell files is one of them for the user nibbler here.
Therefore we create a shell file and put bash -i in it. Then we have to make it executable and run it.
Check out the root directory for the flag
Applied Ethical Hacking and Rules of Engagement
# +40 hours hands-on
# +5h Live Hacking on HTB
# +15 hours Ethical hacking
# 4 Courses in 1
# +5 hours Red Teaming
# +5 hours SIEM using Elastic Stack Wazuh
# +4.5 Udemy Rating
Applied Linux Command Line and Shell Scripting Zero to Elite
# +9 hours hands-on
# Learning +200 Linux tools
# Project-based shell scripting
# Terminal productivity
# Dive in Linux Firewall
# Mastery on Linux networking, security, system visibility
# +4.5 Udemy Rating