Web
Nmap discovered a web server running on the target port 80
Webroot
It’s just a “Hello world!”
Not so much in the source code though.
The comments points to a directory /nibbleblog/
/nibbleblog/
Webroot of /nibbleblog/
It’s a Nibbleblog
Nibbleblog is a CMS written in PHP designed for making and managing a blog It’s known to have some vulnerabilities
Wappalyzer identified that it’s written in PHP
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/nibbles]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/raft-large-files-lowercase.txt -u http://$IP/nibbleblog/FUZZ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.10.75/nibbleblog/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-files-lowercase.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php [status: 500, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
update.php [status: 200, Size: 1622, Words: 103, Lines: 88, Duration: 81ms]
feed.php [status: 200, Size: 300, Words: 8, Lines: 8, Duration: 47ms]
sitemap.php [status: 200, Size: 401, Words: 33, Lines: 11, Duration: 41ms]
install.php [status: 200, Size: 78, Words: 11, Lines: 1, Duration: 1340ms]
admin.php [status: 200, Size: 1401, Words: 79, Lines: 27, Duration: 1351ms]
:: Progress: [35325/35325] :: Job [1/1] :: 920 req/sec :: Duration: [0:00:34] :: Errors: 1 ::
┌──(kali㉿kali)-[~/archive/htb/labs/nibbles]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/web-content/directory-list-2.3-big.txt -u http://$IP/nibbleblog/FUZZ/ -ic
________________________________________________
:: Method : GET
:: URL : http://10.10.10.75/nibbleblog/FUZZ/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[status: 200, Size: 2986, Words: 116, Lines: 61, Duration: 91ms]
content [status: 200, Size: 1353, Words: 88, Lines: 19, Duration: 32ms]
themes [status: 200, Size: 1741, Words: 112, Lines: 21, Duration: 34ms]
admin [status: 200, Size: 2127, Words: 136, Lines: 23, Duration: 34ms]
plugins [status: 200, Size: 3777, Words: 232, Lines: 31, Duration: 36ms]
languages [status: 200, Size: 3167, Words: 208, Lines: 28, Duration: 34ms]
[status: 200, Size: 2986, Words: 116, Lines: 61, Duration: 48ms]
[WARN] Caught keyboard interrupt (Ctrl-C)Fuzzing /nibbleblog/ reveals a few interesting files and directories
This is the structure by far made by Burp Crawler
I will check them out
/nibbleblog/admin/
Directory Indexing is present
I don’t see anything too exciting
/nibbleblog/content/
Here looks much more interesting
I found a username in/nibbleblog/content/private/config.xml
admin@nibbles.com
/nibbleblog/content/private/users.xml confirms the admin username again
This also appears to be a blacklist
/nibbleblog/update.php
The /nibbleblog/update.php revealed the version info
Nibbleblog 4.0.3
/nibbleblog/admin.php
There is a login page at the /nibbleblog/admin.php file.
It must be leading to the administrative panel
Admin Panel
Attempting some default and weak passwords
Wow. I got logged in.
The password was nibbles
┌──(kali㉿kali)-[~/archive/htb/labs/nibbles]
└─$ searchsploit nibbleblog
------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------ ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsSearchsploit reveals that the web app has a file upload vulnerability. I will search online for exploit since I don’t want to use Metasploit