22/tcp is SSH and is secure by default (not many CVEs) so skip it
80/tcp is HTTP, start running gobuster and enumerate the site manually
Website
View the page source
In the page source we found a directory (\/nibbleblog) (Started fuzzing this directory)
Gobuster Results
On the README page, we found multiple valuable information like the version of the system.
README page
Exploitation
I searched for a CVE for this version and found one but it needs credentials (2015-6967).
Check the admin page and try default credentials (I tried many different combinations admin/admin, root/root, etc.. but nothing worked, so I checked other writeups to make sure I was not down a rabbit hole and turned out it's just admin/nibbles)
I used the reverse shell from pentest monkey (https://pentestmonkey.net/tools/web-shells/php-reverse-shell) and did the exploit manually by going to plugins and uploading it to My Image
Plugins Page
It shows errors after uploading but it's meaningless (It says changes saved successfully)
Uploading the shell
Privilege Esceleation
I checked what commands we can run as sudo by using the command sudo -l
sudo -l command output
There is a monitor.sh shell file that we can run as root without a password.
When I tried to access the directory that contains the monitor.sh file I got the message that there is no such directory.
Personal.zip file
The directory is in the personal.zip, so I unzipped the file (unzip personal.zip) and then typed my code into the shell (echo "/bin/sh/" > monitor.sh) This is just a lazy way to spawn a shell as root instead of getting a reverse shell.
