Nibbles
Reconnaissance:
NMAP:
We get back the following result showing that two ports are open:
Port 80: running Apache httpd 2.4.18
Port 22: running OpenSSH 7.2p2
Enumeration: Website - Port 80
Visit the site in the browser. http://10.10.10.75/
Nothing useful there, so right click and select View Page Source. We find a comment that gives us a new directory. CTRL + U
This leads us to the following page. You can see at the bottom that it is powered by Nibbleblog. This is an indication that it an off the shelf software as apposed to custom software.
http://10.10.10.75/nibbleblog/ http://10.10.10.134/nibbleblog/feed.php
To confirm that, let’s google Nibbleblog. · Powered by Nibbleblog https://www.bludit.com/
Gobuster:
Identifying a username
Digging deeper, there’s a page at /nibbleblog/content/private/users.xml which reveals a user, admin, as well as the IPs that have tried to log in as it:
http://10.10.10.75/nibbleblog/update.php DB updated: ./content/private/config.xml DB updated: ./content/private/comments.xml
http://10.10.10.75/nibbleblog/README Version: v4.0.3 ===== About the author ===== Name: Diego Najar E-mail: dignajar@gmail.com Linkedin: http://www.linkedin.com/in/dignajar
http://10.10.10.75/nibbleblog/content/private/config.xml <notification_email_to type="string">admin@nibbles.com</notification_email_to> <notification_email_fromtype="string">noreply@10.10.10.134</notification_email_from>
http://10.10.10.75/nibbleblog/content/ http://10.10.10.75/nibbleblog/admin/controllers/
Logging into admin panel
I wasn’t able to locate a password elsewhere on the blog, and nibbleblog doesn’t have a default password. Luckily, the guess of nibbles worked, and we are in:
http://10.10.10.75/nibbleblog/admin.php admin nibbles
Remote Code Execution (via file upload):
From the gobuster results, there’s a README file, and that gives us a version:
http://10.10.10.75/nibbleblog/README Version: v4.0.3
This version of nibbleblog is vulnerable to CVE-2015-6967, which is an authenticated arbitrary file upload, which can lead to code execution. There’s both a metasploit modules, and it’s pretty straightforwards to do manually.
CVE-2015-6967:
Now we need admin credentials. When I’m presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/nibbles, nibbles/nibbles, nibbles/admin). If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.
http://10.10.10.75/nibbleblog/admin.php admin nibbles
Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure.
http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
Get the code for a PHP reverse shell. Change the IP address and port used by your attack machine. Then save it in a file called image.php and upload it on the site.
Start a listener on the above chosen port.
In the browser, navigate to the image we just uploaded to run the reverse shell script.
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
Let’s first upgrade to a better shell. Python is not installed but python 3 is.
Metasploit –> Meterpreter
We’ll use multi/http/nibbleblog_file_upload to get a shell on the box.
user.txt:
From there, we’ll upgrade our shell, and then get user.txt:
Privilege Escalation
Find out what privileges you have. Either through running LinEnum.sh or just by checking sudo -l, we’ll see the following:
But if we go and try to access it we will find that the personal directory does not exist! But that's not the end we can still create it and use it:
okay now we have the directories ready, lets create our script, nano does not exist, we will need to use vi text editor:
when the vi is open, press i and enter, then paste this shell:
then press ESC from your keyboard, and type :wq to save and exit then press enter:
Okay our script is ready, the last thing to do is giving it execution permissions:
then:
Last updated
