Again, we start with nmap -sC -sV -oA ./nibbles 10.10.10.75
Let's start with the HTTP side of life. The starting page is just a "Hello World" plaintext, but the source code shows us that there is something at /nibbleblog.
Nibble blog is exactly that. A blog, in this case with no posts. Let's gobuster it and see what's there.
We found a few directories to look through. If we gobuster the /content folder we also find a /content/private. Inside of that folder we find a users.xml. Now we have a username of admin! We also see that a login blacklist is in effect. So, we can't just hammer away at the login page (/nibbleblog/admin.php). To be honest, getting in was a guess. We are dealing with a Nibble Blog and the title is Nibbles. So, try admin:nibbles.
From the README file, we can find the Version of Nibbleblog that is running (v4.0.3). A quick searchsploit finds an arbitrary file upload.
Again, I dislike metasploit (it makes us lazy. Plus, you can't use it on OSCP), so let's see if there's another way to get the same results. We find that "other way" here. When we navigate to the Plugins page, we find that the "My image" plugin is already installed. We just need to configure it.
So, we'll use pentest monkey's php-reverse-shell.
Now, we start a netcat listener (nc -lvnp 1234) and navigate to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/ We don't see a shell.php, but we do see an image.php. When we hit that one, we get a shell as nibbler.
Next, mainly as good practice, we migrate LinEnum.sh over to the target box and run it with the -t flag. As always, the results are in the attached CTB file above. LinEnum usage is good practice for discovering possible privesc avenues. Like in this situation we find something interesting in the SUDO section (lines 138 - 143).
We can run monitor.sh as root with no password. Except, checking /home/nibbler shows that personal doesn't exist. Let alone/personal/stuff. Make them. mkdir personal and mkdir personal/stuff. Then it's just a matter of creating our own monitor.sh and running it with sudo. Bash does exist on the system, so a simple "bash -i" should work. After running it sith sudo, we're finished.
Grab your flags!