Nibbles

NibbleBlog 4.0.3 my_image Plugin Vulnerability - Replacing bash script PrivEsc

Scanning

Port 80 Enumeration

Let's search for some public exploits - nibbleblog and meanwhile run the gobuster

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.75/nibbleblog

Initial Foothold

  • The vulnerability is in the “My image” plugin that allows the upload of PHP files. So it would allow us to upload a PHP reverse shell

  • It’s an authenticated vulnerability which means that we need admin credentials before we exploit this vulnerability

http://10.10.10.75/nibbleblog/admin.php

Trying out common credentials such as

  • admin/admin

  • administrator/password

Din't work !

  • admin/nibbles - worked !

Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure

Upload the PHP reverse shell, and start a listener

Now trigger it by browsing this URL

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

Privilege Escalation

sudo -l

  • Edit the monitor.sh file to get a reverse shell and run it as sudo

PreviousShockerNextBeep

Last updated