Nibbles

IP: 10.129.1.135 Completed on: February 20, 2021 Time Took: 1.4 hrs

Enumeration

Network Scan

Ran nmap_scan.sh script which runs a port scan (0-65565), version and default scripts scan (-sV -sC), and then vulnerable script scan (--scripts vuln):

Enumerating the Web Server

Routed to the site (http://nibbles.htb/) and identified that html was being used (tried bypassing virtual hosting by adding nibbles.htb to /etc/hosts but no change):

Looking at the source code, we find the below comment which gives us a directory path for /nibbleblog/:

Routing to /nibbleblog directory we find a Nibbleblog (https://nibbleblog.com/) site which is a php CMS:

Findings directories

Let’s find any hidden paths using gobuster with php, html, and txt extension and with the status code of 200 and 301. (I’m excluding others as there was a lot of False Positives findings with 403 status):

sudo gobuster dir -u http://nibbles.htb/nibbleblog/ -w ~/SecLists/Discovery/Web-Content/raft-medium-words.txt -x html,php,txt -s 200,301 -t 40

Initial Foothold

Enumerating valid users

Enumerating Nibbleblog’s content I found that a valid username was admin per http://nibbles.htb/nibbleblog/content/private/users.xml :

With this information, I attempted default passwords against admin.php page (password,admin,etc). The password ended up being the name of the box, nibbles:

Reverse PHP Shell Upload

Gaining access to admin credentials we can verify the version of NibbleBlog is 4.0.3, there are many known exploit for this version. We will utilize one per default settings of my_image plugin.

Routing to http://nibbles.htb/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image we can use this to upload a reverse php file that will get uploaded under /content/private/plugins/my_image/image.php:

Article followed: https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html

I will use PentestMonkey’s php reverse shell and change ip and port.

Upload the php file:

Routing to the php file we are able to get a reverse shell to nibbler user. (Make sure to set up a nc listener):

Privilege Escalate

Enumerating Host

Enumerating the box, we can find that box is running Ubunutu 4.4.0:

$uname -a && id && groups Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) nibbler

CVE-2017-16995

This version of Ubuntu is vulnerable to cve-2017-16995. Following https://packetstormsecurity.com/files/148517/Linux-Kernel-Local-Privilege-Escalation.html .

I copied exploit.c into the box, then ran gcc to compile the c code, and ran the exploit and got root:

$gcc exploit.c -o exploit $./exploit