Nibbles
NibbleBlog 4.0.3 my_image Plugin Vulnerability - Replacing bash script PrivEsc
Scanning
Port 80 Enumeration
Let's search for some public exploits - nibbleblog
and meanwhile run the gobuster
Initial Foothold
The vulnerability is in the “My image” plugin that allows the upload of PHP files. So it would allow us to upload a PHP reverse shell
It’s an authenticated vulnerability which means that we need admin credentials before we exploit this vulnerability
Trying out common credentials such as
admin/admin
administrator/password
Din't work !
admin/nibbles - worked !
Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure
Upload the PHP reverse shell, and start a listener
Now trigger it by browsing this URL
Privilege Escalation
Edit the
monitor.sh
file to get a reverse shell and run it as sudo
Last updated