HTB: Nibbles Walkthrough
Overview
Difficulty: Easy
- Operating System: Linux
- Objective: Understand potential breaking points in nibble machine.
- Tools Used:nmap,nc,whatweb,searchsploit,metasploit,gobuster,SecsList,linpeas
Prepared by Araiz Naqvi
Starting Enumeration with Nmap
The very first step is to get an idea of the open ports and services running.
To do this we will start with nmap scans:
Here, two ports are open, SSH and HTTP which also show that the target is running Linux Ubuntu 2.2 version and an Apache httpd 2.4.18 server.
But, before we go deeper into these open ports, let’s run an all ports TCP scan and leave it in the background cause usually it takes forever to happen.
I actually did some banner grabbing in the meanwhile, but for consistency sake, I also immediately did a few other nmap scans to try and get as much information as possible.
Also, since I know that ports 22 and 80 are open, I first ran this scan using default nmap scripts using -sc flag as:
Second, I also tried to use a scan script that would probe nmap to find frequently named web page directories or files that contain important and sensitive information using the -script=http-enum:
As seen there was not much luck here. No useful information was retrieved.
Banner Grabbing
Just before I was about to start banner grabbing, I also got back the results for the all port scans I did, and least to say they were quite disappointing but np :_ ).
No serious information found.
Let’s start banner grabbing!
I first used the good old nc to get basic banner information:
This validates that the target hosts an Apache Web Server and an OpenSSH server at ports 80 and 22 respectively.
Web Footprinting
After having pretty hard luck in the scanning.
Let’s figure out the various technologies used and see whether we can find vulnerabilities in them.
Let’s start with whatweb to get a basic idea of the technologies used:
We already know all this. No useful information here again.
Let’s have a look at the website:
Shows a simple website saying “Hello World!”. Let’s also take a look at the source code using `ctrl+u`:
Aha! There’s a weird looking directory mentioned!
Let’s check it out:
Does not look interesting at first.
But, let’s check out technologies used using `whatweb`:
This website is using HTML, PHP and JQuery.
Also, upon further google searches, nibbleblog turns out to be an actual thing.
It’s a blog making platform using PHP and instead of using a traditional database it saves data as files.
Now, if we search up for nibbleblog exploit this is one of them that strikes and is a critical finding!
There’s a Nibbleblog File Upload Vulnerability which allows an authenticated user to remotely execute arbitrary PHP codes. It was tested for version 4.0.3.
It also mentions a metasploit module to use:
Noted!
We just yet don’t know whether the version of nibbleblog being used is 4.0.3 or not. So, let’s try to figure that out.
Seeing what options are required:
We clearly need:
- Username (Don’t have)
- Password (Don’t have)
- TargetURI (We have)
- RPORT (We have)
- RHOSTS (We have)
So, let go figure out the version and a set of username and password.
Enumerating Hidden Directories and Files
Let’s use gobuster along with seclists wordlists to find all hidden directories and paths.
And, we do have quite a bunch of links! Let’s go through each one at a time!
Starting with http://10.129.163.128/nibbleblog//admin/:
There’s nothing too exciting here. I’ll save you the time.
The next interesting space is http://10.129.163.128/nibbleblog/README and oh boy! Here, we figure the first part of the puzzle and find that nibbleblog version 4.0.3 is in use!:
Also, the next important page would’ve been http://10.129.163.128/nibbleblog/admin.php but I bruteforced a few too many times and got blacklisted but this was the login portal for admins.
I used combinations like admin:admin, root:root and admin:password123 and tadaaa I was locked out :_ )
Nevertheless, moving on after a little scanning and digging I find within this directory http://10.129.163.128/nibbleblog//content/private/users.xml a users.xml which contained some real gold:
As seen I had the username correct, there is a user with username admin just left to figure the password out. So, one last key left to find.
So far, we know:
- A Nibbleblog install potentially vulnerable to an authenticated file upload vulnerability
- An admin portal at `nibbleblog/admin.php`
- Directory listing which confirmed that `admin` is a valid username
- Login brute-forcing protection blacklists our IP address after too many invalid login attempts. This takes login brute-forcing with a tool such as Hydra is off the table
Also, after looking at some more pages like http://10.129.163.128/nibbleblog//content/private/config.xml, there’s a brief chance that since so many times here and there they’ve written the word nibbles there’s a slight chance this can be the password too.
It’s safe to say that we may have a password and have cracked all the keys!
So far, we know:
- We started with a simple nmap scan showing two open ports
- Discovered an instance of Nibbleblog
- Analyzed the technologies in use using whatweb
- Found the admin login portal page at admin.php
- Discovered that directory listing is enabled and browsed several directories
- Confirmed that admin was the valid username
- Found out the hard way that IP blacklisting is enabled to prevent brute-force login attempts
- Uncovered clues that led us to a valid credentials admin:nibbles
In fact after logging in using admin:nibbles, we do get in.
On scrolling around, oh boy! What i’m about to type is one of the craziest things i’ve ever done!
So, looking around, I saw plugins and there is this images tab.
Let’s try to inject and try RCE using php since we remember that nibblesblog is in php.
Let’s create a phpInject.php:
Now, upload this php into the browse option and hit `save`.
Clearly, it’s executing it! This also means we can execute a reverse shell to us!
Let’s just find where this is going.
If you go back to http://10.129.184.244//nibbleblog//content/private/plugins/my_image/ that we found using gobuster, remember?
This is it! You can either open this or use curl and it will execute.
On opening, it returns:
Clearly, RCE is working!!
Now, let’s create a reverse shell:
First, listen using nc on a port of your choice, I chose 4444:
Next, create a php file with the reverse shell command:
(Also if you noticed an IP change in the middle somewhere it was cause I forgot to renew the HTB timer)
How do I know my IP? Use ifconfig:
When we upload this php to the images and do as we did all over to execute it, we now have a successful reverse shell!
So as you see python was not installed but usually its python3 that’s installed. So a rough guess came correct.
Also, I have not forgotten that we are also able to exploit the metasploit but this was another excellent finding.
Now, the last thing that remains is to escalate privs.
So, let’s first check what privs we have using:
and we get to see that we have full sudo privs over /home/nibbler/personal/stuff/monitor.sh and this is gold.
We can run using sudo access to another reverse shell say at port 8444 and get complete root access.
So, in the personal.zip, first unzip it:
Let’s move into the directory and edit the monitor.sh since this is the file who’s sudo privs will give us root access:
Now, I appended it to the last line since when this executable runs it will execute everything in it, but don’t run it just yet. Let’s first power on nc at port 8444 (8444 is just from the reference i was taking, but you can take any):
Let’s now execute the .sh but with sudo: (remember to use sudo, I was stuck at this point for about 34 minutes to be precise)
Gives a bunch of bs, but looking at whether picked up or not:
Bingo!!!! We’ve connected, also if you notice the # means we’re logged on as root!
Let’s go get the last flag:
With this we’ve successfully hacked the box.
Flag
The user.txt flag is 79c03865431abf47b90ef24b9695e148.
The root.txt flag is de5e5d6619862a8aa5b9b212314e0cdd.
Comments
Post a Comment