Nibbles

NibbleBlog 4.0.3 my_image Plugin Vulnerability - Replacing bash script PrivEsc

Scanning

Port 80 Enumeration

Let's search for some public exploits - nibbleblog and meanwhile run the gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.75/nibbleblog

Initial Foothold

• The vulnerability is in the “My image” plugin that allows the upload of PHP files. So it would allow us to upload a PHP reverse shell

• It’s an authenticated vulnerability which means that we need admin credentials before we exploit this vulnerability

http://10.10.10.75/nibbleblog/admin.php

Trying out common credentials such as

• admin/admin

• administrator/password

Din't work !

• admin/nibbles - worked !

Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure

Upload the PHP reverse shell, and start a listener

Now trigger it by browsing this URL

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

Privilege Escalation

sudo -l

• Edit the monitor.sh file to get a reverse shell and run it as sudo