Nibbles
Writeup for Nibbles from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.163.47 all
Service Enumeration
HTTP (Port 80)
Looks like a blank website used for testing.
Doesn't look like there's anything else here that could be useful.
Postgresql (Port 5437)
Since we know the default username is postgres
, we can try the default password as well, postgres
, and we managed to log in.
Since this version of postgresql
is higher than 9.3 and we are super user, we can run the following exploit.
Exploit
Let's use Metasploit for this exploit to make life easier.
And we got an interactive shell!
Privesc
Running LinEnum on the target machine, we find an interesting SUID file.
Searching on GTFObins and we got the exact command needed.
Last updated