Nibbles
Overview
Initial Foothold : File Upload vulnerablilty in nibbleblog
Privilege Escalation : Misconfiguration of file access and execution
Enumeration
Start with port scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFew ports were open ssh version doesn't seems interesting
Lets start with web enumeration
Web Enumeration
visit the webpage
Looks like simple html site is running
lets look in source code
Hmm got an interesting directory called nibbleblog
lets see what's there
There was an admin.php page where we can login
But we don't have creds
This took me long time to figure out the username and password, as they cannot bruteforce. if we try then we will be blocked.
This was simple. The username was as usual admin and the password was nibbles
Lets try this creds and got admin session ( admin : nibbles )
Lets search for nibbleblog on google
Got a file upload exploit but it was using metasploit
Lets exploit it manually
Exploitation
Got a metasploit module for exploting this file upload vulnerbility but we will exploit it manually
After reading the metasploit module, got that the vulnerability was in my image plugin where we can upload any file with any extension
There was no check for the type of the file uploading
Lets configure this plugin by uploading our php reverse shellcode
Use pentestmonkey php-reverse-shell.php code for this task
Change the lhost and lport in this payload and upload it on the my image plugin also setup netcat listener
Now to execute the payload visit the page where the plugin is stored
Got the above path from the metasploit module you can also find it using dirbuster
now open image.php file and we got the reverse shell as nibbler user
Privilege Escalation
Lets run sudo -l command
From the above result it was clear that user nibbler can run monitor.sh script as root user without any password
Lets visit the file
Haven't got the monitor.sh file but got personal.zip file
Unzip that folder
Here you can see it extracted the file and got the monitor.sh file in stuff folder of personal
Now see the permission of monitor.sh file
This file was writable by the everyone group
so we can edit this file and will add the malicious code in it and will execute it as root user
Simply echo /bin/bash in the file
echo /bin/bash >> monitor.shand execute the script with its full path as sudo
And got the root shell
That's all for this box
Good Bye :)
Last updated
Was this helpful?