Initial scan:
Initial page source code:
It is a Nibbleblog
Gobuster for directory enumeration:
Login page is under /admin.php
Brute forcing login page gave me strange output.
…, because I got blacklisted
It is a reason, why I shouldn’t brute force login form at first.
I did further enumeration of previous directories
I found a version of this site. There is an exploit available
Even though I still need username and password for admin account:
Further enumeration:
users.xml gave us info about username of admin account. It is: admin
user = admin
I need password to admin account to use exploit. Brute force is not the case, because after 5 bad login you get blacklisted. I enumerated again all sites, all subdirectories and unfortunately didn’t find a thing.
After some time I was unbaned and tried many diffrent passwords and one worked: “nibbles”. It was tricky…
I had to rename php-reverse-shell to image.php and then I could upload a shell. I decided not to use msf.
I just sent GET to …/image.php and obtained reverse shell.
I run linpeas and exfiltrated data to my machine.
Meantime, I lost shell. I had to again upload shell.php to get reverse shell.
Linpeas showed that this machine is vulnerable to CVE-2021-4034
I used this exploit:
https://github.com/berdav/CVE-2021-4034
There were some issues regarding clock in compiling so I used this commands in CVE-2021-4034 directory:
find . -type f | xargs -n 5 touch
make clean
clean
make
./cve-2021-4034
#Rooted
Probably this way was not intended, because this box is older than this CVE (that is why we need to stay up-to-date).
Intended way:
We can execute monitor.sh as root and this script gives us shell with privileges of executor:
