HTB Walkthrough
Nibbles Machine 10.10.10.75

Enumeration

We’ve got SSH and Apache ports open. Our chance for Apache is much more than SSH. Let’s try that route down.
We start with searching exploits for Apache 2.4 (never try searching too specific like 2.4.18 as some search results come wit ha range number, so the specific number falls in line with them and won’t be shown up!

Nothing too much interesting in here! Let’s stroll around the web and see what that returns.

Apparently, there is a directory to bust!

Let’s search for nibble exploits

File upload exploit with remote code execution! Could not be better! Let’s start Metasploit

 

Exploit

Searching for nibble in msconsole returns payload. let’s get more info

Even authenticated remote code execution!
Time to find a place to upload a file. The frontend under nibbleblog does not have any juicy place to start the exploit with, therefore we run DirBuster with a medium wordlist to uncover underlying directories.

DirBuster settings

admin directory seems interesting

It should be behind this login
We can start with some googling for default credentials for the CMS portal or run our brute force tools, but always go with the first ones because many portals have control for the number of wrong tries!
In this case, the user was admin and the pass was simply the blog name: nibbleblog

Let’s get back to our msconsole

We set out payload parameters according to options (Do not forget to have your Local HOST (LHOST) IP set right. It should be the IP address of your OpenVPN interface in your Kali Linux
 

Now run the exploit

The reverse shell is returned
 

Open a shell

The user is nibbler, not root
 

Privilege Escalation
 

Run sudo -l to list the allowed (and forbidden) commands for the invoking user. Executing shell files is one of them for the user nibbler here.
Therefore we create a shell file and put bash -i in it. Then we have to make it executable and run it.

root
 

Check out the root directory for the flag

Machine owned

Applied Ethical Hacking and Rules of Engagement

# +40 hours hands-on

# +5h Live Hacking on HTB

# +15 hours Ethical hacking

# 4 Courses in 1

# +5 hours Red Teaming

# +5 hours SIEM using Elastic Stack Wazuh

# +4.5 Udemy Rating

Applied Linux Command Line and Shell Scripting Zero to Elite

# +9 hours hands-on

# Learning +200 Linux tools

# Project-based shell scripting

# Terminal productivity

# Dive in Linux Firewall

# Mastery on Linux networking, security, system visibility

# +4.5 Udemy Rating