Nibbles

Writeup for Nibbles from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.163.47 all

Service Enumeration

HTTP (Port 80)

Looks like a blank website used for testing.

Doesn't look like there's anything else here that could be useful.

Postgresql (Port 5437)

Since we know the default username is postgres, we can try the default password as well, postgres, and we managed to log in.

Since this version of postgresql is higher than 9.3 and we are super user, we can run the following exploit.

PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)Exploit Database

Exploit

Let's use Metasploit for this exploit to make life easier.

And we got an interactive shell!

Privesc

Running LinEnum on the target machine, we find an interesting SUID file.

Searching on GTFObins and we got the exact command needed.

find | GTFOBins