HackTheBox
  • HackTheBox
  • Windows
    • Devel
    • Optimum
    • Arctic
    • Granny
    • Grandpa
    • Blue
    • Netmon
  • Linux
    • Lame
    • Beep
    • Bank
    • Blocky
    • Mirai
    • Shocker
    • Nibbles
    • Irked
    • Solid State
    • Cronos
Powered by GitBook
On this page
  • Overview
  • Enumeration
  • Web Enumeration
  • Exploitation
  • Privilege Escalation

Was this helpful?

  1. Linux

Nibbles

PreviousShockerNextIrked

Last updated 4 years ago

Was this helpful?

Overview

Initial Foothold : File Upload vulnerablilty in nibbleblog

Privilege Escalation : Misconfiguration of file access and execution

Enumeration

Start with port scanning

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Few ports were open ssh version doesn't seems interesting

Lets start with web enumeration

Web Enumeration

visit the webpage

Looks like simple html site is running

lets look in source code

Hmm got an interesting directory called nibbleblog

lets see what's there

There was an admin.php page where we can login

But we don't have creds

This took me long time to figure out the username and password, as they cannot bruteforce. if we try then we will be blocked.

This was simple. The username was as usual admin and the password was nibbles

Lets try this creds and got admin session ( admin : nibbles )

Lets search for nibbleblog on google

Got a file upload exploit but it was using metasploit

Lets exploit it manually

Exploitation

Got a metasploit module for exploting this file upload vulnerbility but we will exploit it manually

After reading the metasploit module, got that the vulnerability was in my image plugin where we can upload any file with any extension

There was no check for the type of the file uploading

Lets configure this plugin by uploading our php reverse shellcode

Use pentestmonkey php-reverse-shell.php code for this task

Change the lhost and lport in this payload and upload it on the my image plugin also setup netcat listener

Now to execute the payload visit the page where the plugin is stored

Got the above path from the metasploit module you can also find it using dirbuster

now open image.php file and we got the reverse shell as nibbler user

Privilege Escalation

Lets run sudo -l command

From the above result it was clear that user nibbler can run monitor.sh script as root user without any password

Lets visit the file

Haven't got the monitor.sh file but got personal.zip file

Unzip that folder

Here you can see it extracted the file and got the monitor.sh file in stuff folder of personal

Now see the permission of monitor.sh file

This file was writable by the everyone group

so we can edit this file and will add the malicious code in it and will execute it as root user

Simply echo /bin/bash in the file

echo /bin/bash >> monitor.sh

and execute the script with its full path as sudo

And got the root shell

That's all for this box

Good Bye :)

Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)Exploit Database
Logo
GitHub - pentestmonkey/php-reverse-shellGitHub
Logo