Lame (Check)
Last updated
Last updated
Type: Linux
Difficuility: Easy
Link: https://app.hackthebox.com/machines/Lame
IP Address: 10.10.10.3
Enumeration
Run nmap: sudo nmap -sC -sV -p- -Pn -oA Nibbles 10.10.10.75
22/tcp is SSH and is secure by default (not many CVEs) so skip it
80/tcp is HTTP, start running gobuster and enumerate the site manually
In the page source we found a directory (\/nibbleblog) (Started fuzzing this directory)
On the README page, we found multiple valuable information like the version of the system.
I searched for a CVE for this version and found one but it needs credentials (2015-6967).
Check the admin page and try default credentials (I tried many different combinations admin/admin, root/root, etc.. but nothing worked, so I checked other writeups to make sure I was not down a rabbit hole and turned out it's just admin/nibbles)
I used the reverse shell from pentest monkey (https://pentestmonkey.net/tools/web-shells/php-reverse-shell) and did the exploit manually by going to plugins and uploading it to My Image
It shows errors after uploading but it's meaningless (It says changes saved successfully)
I checked what commands we can run as sudo by using the command sudo -l
There is a monitor.sh shell file that we can run as root without a password.
When I tried to access the directory that contains the monitor.sh file I got the message that there is no such directory.
The directory is in the personal.zip, so I unzipped the file (unzip personal.zip) and then typed my code into the shell (echo "/bin/sh/" > monitor.sh) This is just a lazy way to spawn a shell as root instead of getting a reverse shell.
Flags:
