From nmap, there are ssh and http service.

Local Picture

This is the web page.

Local Picture

Take a look at the source code, there is an interesting comment.

Local Picture

This is the directory, and I use gobuster for this directory.

Local Picture

Local Picture

This is README, it shows that it is using version 4.0.3.

Local Picture

This is the admin page. I tried to some basic credentials such as admin/nibbles, admin/password, and admin/nibbles works.

Local Picture

Now we are able to login as admin.

Local Picture

There is a pluging page, after uploading a file, it will be stored as 10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php.

Local Picture

Local Picture

So we upload a php reverse shell. By accessing it, we get the shell as user nibbler and get user.txt. With sudo -l, it shows that we can run /home/nibbler/personal/stuff/monitor.sh as root.

Local Picture

This is a piece of code from monitor.sh.

Local Picture

I modify monitor.sh so that it copies bash to local directory with SUID bit. Run ./bash -p, and we can run bash as root.

Local Picture