search

Nibbles

hashtag
Reconnaissance:

NMAP: 

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.75  

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.75  

Not shown: 1000 closed udp ports (port-unreach)
┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.75

We get back the following result showing that two ports are open:

  • Port 80: running Apache httpd 2.4.18

  • Port 22: running OpenSSH 7.2p2

hashtag
Enumeration: Website - Port 80

Visit the site in the browser. http://10.10.10.75/arrow-up-right

Nothing useful there, so right click and select View Page Source. We find a comment that gives us a new directory. CTRL + U

This leads us to the following page. You can see at the bottom that it is powered by Nibbleblog. This is an indication that it an off the shelf software as apposed to custom software.

http://10.10.10.75/nibbleblog/ http://10.10.10.134/nibbleblog/feed.phparrow-up-right

To confirm that, let’s google Nibbleblog. · Powered by Nibbleblog https://www.bludit.com/arrow-up-right

Gobuster:

Identifying a username

Digging deeper, there’s a page at /nibbleblog/content/private/users.xml which reveals a user, admin, as well as the IPs that have tried to log in as it:

http://10.10.10.75/nibbleblog/update.php DB updated: ./content/private/config.xml DB updated: ./content/private/comments.xml

http://10.10.10.75/nibbleblog/README Version: v4.0.3 ===== About the author ===== Name: Diego Najar E-mail: dignajar@gmail.com Linkedin: http://www.linkedin.com/in/dignajar

http://10.10.10.75/nibbleblog/content/private/config.xml <notification_email_to type="string">admin@nibbles.com</notification_email_to> <notification_email_fromtype="string">noreply@10.10.10.134</notification_email_from>

http://10.10.10.75/nibbleblog/content/ http://10.10.10.75/nibbleblog/admin/controllers/arrow-up-right

Logging into admin panel

I wasn’t able to locate a password elsewhere on the blog, and nibbleblog doesn’t have a default password. Luckily, the guess of nibbles worked, and we are in:

http://10.10.10.75/nibbleblog/admin.php admin nibblesarrow-up-right

hashtag
Remote Code Execution (via file upload):

From the gobuster results, there’s a README file, and that gives us a version:

http://10.10.10.75/nibbleblog/README Version: v4.0.3

This version of nibbleblog is vulnerable to CVE-2015-6967, which is an authenticated arbitrary file upload, which can lead to code execution. There’s both a metasploit modules, and it’s pretty straightforwards to do manually.

CVE-2015-6967:

LogoGitHub - dix0nym/CVE-2015-6967: Nibbleblog 4.0.3 - Arbitrary File Upload (CVE-2015-6967)GitHubchevron-right

Now we need admin credentials. When I’m presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/nibbles, nibbles/nibbles, nibbles/admin). If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.

http://10.10.10.75/nibbleblog/admin.php admin nibblesarrow-up-right

Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure.

http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_imagearrow-up-right

Get the code for a PHP reverse shell. Change the IP address and port used by your attack machine. Then save it in a file called image.php and upload it on the site.

php-reverse-shellpentestmonkeychevron-right

Start a listener on the above chosen port.

In the browser, navigate to the image we just uploaded to run the reverse shell script.

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.phparrow-up-right

Let’s first upgrade to a better shell. Python is not installed but python 3 is.

hashtag
Metasploit –> Meterpreter

We’ll use multi/http/nibbleblog_file_upload to get a shell on the box.

user.txt:

From there, we’ll upgrade our shell, and then get user.txt:

hashtag
Privilege Escalation

Find out what privileges you have. Either through running LinEnum.sh or just by checking sudo -l, we’ll see the following:

But if we go and try to access it we will find that the personal directory does not exist! But that's not the end we can still create it and use it:

okay now we have the directories ready, lets create our script, nano does not exist, we will need to use vi text editor:

when the vi is open, press i and enter, then paste this shell:

then press ESC from your keyboard, and type :wq to save and exit then press enter:

Okay our script is ready, the last thing to do is giving it execution permissions:

then:

PreviousBashed WriteupNextTabby

Last updated