CTF Walkthroughs, Hack The Box

Hack The Box – Nibbles Walkthrough

March 2, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was a fairly easy Linux box that involved exploiting an arbitrary file upload vulnerability in the My Image plugin of the Nibbleblog web application in order to upload a reverse shell, and a script with sudo permissions allowed to escalate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions
  • -Pn to skip the host discovery phase, as some hosts will not respond to ping requests

Enumerating HTTP

When navigating to the web server with Firefox, the following page is displayed:

Upon further inspection of the page’s source code, an interesting comment is identified:

This seems to refer to a directory on the web server.

When navigating to the /nibbleblog directory, this takes to a “Nibbles” blog:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target url
  • -w to specify the word list to use

An “admin.php” entry was found by Gobuster which seems interesting. Upon navigating to the admin page, a login prompt is displayed, asking for a username and a password:

After trying a few common usernames and passwords, the admin/nibbles combination has worked:

This has allowed to authenticate to a “nibbleblog” web application. Judging by the README file found earlier by Gobuster, it seems to be version 4.0.3

Exploiting Nibblelog

Using the SearchSploit to identify possible vulnerabilities in this version of Nibbleblog

This has identified a Metasploit module that can be used to exploit an arbitrary file upload vulnerability, which would allow an attacker to upload and execute a PHP reverse shell.

Starting MSFconsole, searching for the exploit and selecting it. Viewing the available options:

Setting the following options in MSFconsole:

  • USERNAME to specify the username to be used for Nibbleblog
  • PASSWORD to specify the password to be used for Nibbleblog
  • RHOST to specify the target host IP address
  • TARGETURI to specify the directory used to access Nibbleblog
  • LHOST to specify the local host IP address to connect to
  • LPORT to specify the local port to connect to

In this case the list of available payloads is restricted, therefore using the PHP reverse TCP Meterpreter payload:

Running the exploit:

This has granted a Meterpreter shell connecting to the victim host.

Manual Exploitation

After some online research, a manual exploit for this vulnerability can be found: NibbleBlog 4.0.3: Code Execution

This requires to activate the “My Image” Nibbleblog plugin, which allows to upload arbitrary files. When navigating to the plugins page it seems to be enabled already:

Copying the Laudanum PHP reverse shell to the working directory and updating the IP address and port:

Uploading it through the attachment field in the My Image plugin:

The next step is to set up a Netcat listener, which will catch our reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Visiting the /nibbleblog/content/private/plugins/my_image/image.php page, therefore triggering the reverse shell:

A call back was received, therefore granting a reverse shell to the target:

The following steps can be done to obtain an interactive shell:

  • Running “python -c ‘import pty; pty.spawn(“/bin/sh”)’” on the victim host
  • Hitting CTRL+Z to background the process and go back to our host
  • Running “stty raw -echo” on our host
  • Hitting “fg + ENTER” to go back to our reverse shell

Privilege Escalation

When enumerating common files, a personal.zip file can be found in the nibbler user’s home directory:

Using the zip command-line tool to extract the files in the personal.zip archive:

Running sudo -l to check if the current user is allowed to run any command or script using sudo:

It looks like the nibbler user is allowed to run the monitor.sh bash script that was in the personal.zip archive.

Navigating to the folder where the script is stored, adding an extra line to execute the “id” command and save the output of it to a /tmp/test file in order to confirm the script is being executed as root.

It appears the script was executed as root.

Adding a new line to the script to create a SUID version of the /bin/bash binary:

After executing the new SUID bash binary with the -p flag, which allows to execute binaries as the owner of it, this grants root access to the host:

Conclusion

This was quite an interesting box, and just another example of how seemingly innocuous plugins used by web applications can often pose a great threat to the application itself as well as the web server, potentially allowing attackers to gain complete access to the remote server and its network.