HTB Nibbles
I recently got back on the bandwagon of CTFs and worked on Nibbles on Nibbles from Hackthebox today. As always I started with a nmap scan nmap -p- -T5 -A 10.10.10.75 -oN nibbles_nmap.txt. I hit all 65535 ports with -p-, with this being on HTB I’m not worried about being detected by Blue Teamers so I went with -T5 for the quickest scan and -A to run Enable OS detection, version detection, script scanning, and traceroute all at once to reduce the amount of scans ran. I also like to save the results as a file so that I can come back later and not have to worry about not being able to scroll back up and finding it or if I don’t screenshot all of the results.
First thing I saw is that nibbles has ssh running on 22 and Apache httpd 2.4.18 on 80. Navigated to the HTTP website in Firefox and got a basic page with only “Hello world!” on it.
I went ahead and hit it with gobuster with the dirb/common.txt wordlist and didn’t receive any meaningful results back.
I tried a couple other wordlists before I checked the page source and saw another directory in a comment.
I navigated to that directory in Firefox and got what appears to be an empty blog.
Kicked off a nitko scan with nikto -h http://10.10.10.75/nibbleblog >> nibbles_nikto.txt, first thing I noticed is there is an admin.php page and a README file.
Checking out the README lets me know that it is running Nibbleblog v4.0.3.
Also another gobuster scan on http://10.10.10.75/nibbleblog/ with the dirbuster wordlist directory-list-2.3-medium.txt netted me a couple other directories on the web page.
Searching for Nibbleblog 4.0.3 exploits on Google lead to packetstormsecurity Nibble 4.0.3 Shell Upload and a Metasploit exploit by Rapid7.
The only problem with these exploits is that they depends on being authenticated to the web app. I went to admin.php and entered test credentials to capture the request in Burp to try to Brute Force it with Intruder.
From Proxy in Burp I caught the request and right clicked on it to send it to intruder. In Intruder I changed the attack type to Cluster bomb and manually cleared the variables and selected the username and password fields.
For payload 1 I used the top-usernames-shortlist.txt and 10-million-password-list-top-10000.txt for payload 2 from Daniel Miessler’s SecLists.
Started the attack and monitored the results. Almost immediately I noticed that the length returned by the server changed and saw that my IP got blacklisted.
I did some snooping around the directories and found the user list at nibbleblog/content/private/users.xml,this file also contains the blacklist. There is a single user listed in the list admin and my HTB VPN IP was listed in the blacklist.
Further investigation led me to nibbleblog/admin/boot/rules/3-variables.bit which is where all the variables are defined including the blacklist criteria of 5 failed login attempts and a blacklist time of 5 minutes.
Once my IP was no longer blocked, I went back to the admin page and tried admin and nibbles, since admins are lazy and nibbles is the name of the page. That was the correct password and I got to the admin dashboard, on the right we can see my brute force attempt.
Step 1 of the file upload was complete I am authenticated. Even though Metasploit has an exploit for this I decided to do it manually. I copied the basic php reverse shell from /usr/share/webshells/php/php_reverse_shell.php and modified it to use my IP and chosen port.
I named the shell shell.php and uploaded it the server through the my image plugin. I navigated to nibbleblog/content/private/plugins/my_image/ and saw that my shell was uploaded and renamed to image.php.
I set up my local netcat listener, navigated to image.php, and waited for my reverse shell to spawn.
As soon as my shell spawned I saw that the web server was running as nibbler. My first step was to upgrade my shell to something that provides better control. I started with
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nibbler@Nibbles:/$ export TERM=xterm I then sent the shell to the background with CTL-Z and on my local boxes bash stty raw -echo; fg
This gives me a BASH shell with tab autocompletion, history and I can control processes with CTL-C or CTL-Z. Although if the terminal acts funny typing reset and pressing enter should fix it. Now on the finishing the box, I immediately cat user.txt.
Also in nibler's home directory there is a zip archive named personal.zip, I unzipped it and it only had monitor.sh in it. It is base off a script from tecmint that lists information about the box.
The script tells me that this box is running Ubuntu 16.04.3 with kernel 4.4.0-104. Searching for exploits for the kernel leads me to CVE-2017-16995 with 2 exploits from exploit-db.com: 44298 and 45010. I went with 45010 since it seemed that it needed no modifications. I copied if from it’s location in /usr/share/exploitdb to my working directory, compiled it to get-rekt,spun up a python web server to transfer it to Nibbles, on Nibbles I grabbed it with wget, and I finally chmod to make it executable.
Ran it and got root.
