Kzk's garden

Machine - Nibbles - Easy - Linux

2 min read

Machine - Nibbles - Easy - Linux

  • tags:
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • in the http:
    • there is a subfolder named nibbleblog
    • in metasploit says there is multiple sql injections
    http://www.example.com/index.php?page=[SQLi]
http://www.example.com/post.php?idpost=[SQLi]
    • nothing in there…
    • I tested the admin folder and I could see all the code
    • there is a path http://10.10.10.75/nibbleblog/README where you can see the version is 4.0.3
    • and searchsploit there is a specific arbitrary file upload
  • let’s try to upload a shell using the vulnerability
    • we cannot cause we need a user first
  • there is this function in the code we can see 
    // =====================================================================
//	POST
// =====================================================================
if( $_SERVER['REQUEST_METHOD'] == 'POST' )
{
	$new_salt = Text::random_text(11);
	$new_hash = Crypt::get_hash($_POST['pw_new'],$new_salt);
	$text = '<?php $_USER[0]["uid"] = "0"; $_USER[0]["username"] = "'.$_USER[0]['username'].'"; $_USER[0]["password"] = "'.$new_hash.'"; $_USER[0]["salt"] = "'.$new_salt.'"; $_USER[0]["email"] = "'.$_USER[0]['email'].'"; ?>';
	$file = fopen(FILE_SHADOW, 'w');
	fputs($file, $text);
	fclose($file);
	Session::set_alert($_LANG['PASSWORD_HAS_BEEN_CHANGED_SUCCESSFULLY']);
	// Redirect to Dashboard
	Redirect::controller('admin','dashboard','view');
}
    • download the whole code with wget --spider --recursive $URL
    • al final el password era admin:nibbles
  • now with metasploit and the vulnerability we know exist but we need a user, we can continue the explotation :)
    • we got the shelll
  • in the home of the nibbler, we found a personal.zip that contains a php script
  • if we do a sudo -l
  • we see we can execute as root the file decompressed…
  • I just did change the content with a chmod u+s /bin/bash
  • sudo

Graph View

Backlinks