Wednesday, March 13, 2019

Nibbles


NIBBLES

- Layout for this exercise:





1 - INTRODUCTION

-  The goal of this exercise is to develop a hacking process for the vulnerable machine Nibbles, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

- Nibbles machines's IP is 10.10.10.75:





- Scanning with Nmap, there are just two open ports 22 and 80:




- Scanning deeper:





- Browsing the web page:




- Viewing the source it seems that there is a folder called /nibbleblog:





- Same result with curl:





- Connecting to /nibbleblog it results to be a blogging platform:





- Dirbusting /nibbleblog:







- Dirbusting for files with extensions .php:





- So we have found directories like /admin, /content, /languages and files like admin.php, feed.php, install.php, sitemap.php, update.php

- Let's examine some of the files and directories found with dirb.

- admin.php provides a login form:





- feed.php:





- install.php:




- update.php show that the version used is Nibbleblog 4.0.3 "Coffee":




- sitemap.php:




- /content:




- Going to /nibbleblog/content/private/users.xml we find the username admin:




- /languages:




3 - EXPLOITATION

- CVE-2015-6967 informs about the vulnerability found at Nibbleblog for versions before 4.0.5 (as seen before Nibbles uses versions 4.0.3):





- Metasploit provides a module to exploit this vulnerability:






- Using this module we get a Meterpreter session, passing the parameters username admin (discovered at  users.xml) and password nibbles (just guessed):










- Getting a shell:








4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- As expected, access to /root is denied:





- User nibbler has got sudoer privileges over the file monitor.sh:





- There is a file personal.zip at nibblers home folder:





- Unzipping personal.zip we locate monitor.sh (run with root privileges) inside directory /personal/stuff:





- Reading monitor.sh, it seems a script for managing different aspects of nibbles:





- So the privilege escalation plan will be to re-write monitor.sh with some type of backdoor, for instance this one created with Msfvenom:





- Echoing the backdoor to monitor.sh:








- Setting a Netcat listening session at Kali's port 1234:




- Running monitor.sh at nibbles:




- The consequence is a reverse root shell at Kali:





6 - CAPTURING THE 2nd FLAG

- Reading root.txt: