Nibbles

Personal Rating: Very Easy

Enumeration

The first nmap scan reveals a webserver.

sudo nmap -sC <IP>

Checking it out, I found a login page at http://<TARGETIP>/nibbleblog/admin.php

Working credentials were admin:nibbles.Next - Boxes: EasyRedPanda On that page I could directly upload a PHP reverse shell and activate it easily.

SUID Script

On the machine, I found the file /home/nibbles/personal/stuff/monitor.sh, which can be executed with root as SUID file. I replaced the script inside with /bin/bash and had a root shell.

The root ssh key:

-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzmvtgBBecElygmbaEBIHHNExy/QW3mlDqO9A+0qd4826yr3a
<SNIP>
0sbUZQfEoOtT47Oa0Lme3XusEP/wIpEuU5UTxYsNILpsPX+kDu8S
-----END RSA PRIVATE KEY-----

PreviousNetmon NextOptimum

Last updated 1 year ago