Nibbles (Easy)
Last updated
Was this helpful?
Last updated
Was this helpful?
Difficult -> Easy
OS -> Linux
State -> Retired
Tags -> Vulnerability Assessment / Web Application / Security Tools / Software & OS Exploitation Remote Code Execution / Default Credentials
Then I did an exhaustive scan to learn about the services running on the open ports
I found the HTTP protocol running on port 80, so I went to check in the browser the content being deployed. All that I saw was a page with a message, so I reviewed the source code to find out more information
There I found a comment that let me know there was another page in the route /nibbleblog so I navigated there and found a page with a blog style that I could explore
I found some interesting routes, being the most relevant the /admin.php route, so I navigated there and found a simple login page. I tried using common credentials to log in but it didn't work
I needed a username and a password I could log in with, so I went back and checked other found routes looking for this information. I noticed there was a /content route, so I went there to explore it
There I found some exposed folders, so I explored the files that were contained there. After examining them I found an interesting file on /content/private/users.xml and accessed it, and noticed this XML document was leaking some information
That let me know there was an existing username named admin but it didn't give me any information about a related password, so I kept searching through the files. Then I went to check the config.xml file and noticed the particular use of the nibbles word many times
Even the domain of an email was using this word there, so that could mean that was the enterprise name and turned it into a possible option for a weak password. I tried to log in on the /admin.php page using admin as username and nibbles as password and it let me in successfully to a new dashboard
So I kept looking for an option that could let me upload a file to the system and abuse the vulnerability. After a while, I found there was a Plugins section that could be interesting because sometimes a plugin can be added from external sources, so I accessed it
There I found some already installed plugins and after exploring them, the My Image plugin caught my attention because it had an option to upload a picture file, a point that I could abuse
I saw a couple of warnings but the page told me that the file had been uploaded successfully. Then, I had to find out the location where the files were uploaded to execute it. I went back to search and after a while, I found under the /content/private folder, a folder named plugins. Going there I found another folder related to the My Image plugin so I went there to check its content
I observed the page kept loading and checking the listener I noticed I had successfully caught the shell from the web. Then, I sanitized the terminal and checked which user I was, using the whoami command and with this I knew I was the nibbler user
Then I navigated to the /home folder where I found a folder for this user and inside it, a user.txt file from which I got the user flag
With that, I got the user flag
Answer: 0ac28aeb5d1e8d1808cdd083961381ad
After that, I had to search for a way to escalate privileges. I checked the sudo execution permissions that the user had, and it was able to execute a monitor.sh file. But after searching in the filesystem, I didn't find the file
Looking again at the contents of the /home/nibbler folder, I noticed a suspicious Zip file, so I decompressed it and checked its contents, which gave me the monitor.sh file I was looking for
Knowing this, I tried modifying the content of the script to spawn a shell. I replaced it and checked it had been saved correctly, which the system let me do without issues. Then I ran the script using sudo and gained the shell as the root user
Finally, I navigated to the /root folder where I found a root.txt file, and reading its content I got the root flag
With that, I got the root flag and pwned the machine
Answer: 817daf6a75543a65762c919ecc5bcb94
Instead of searching through the web, I could check for known vulnerabilities using Metasploit. First, I started it and searched for vulnerabilities related to nibbleblog
I found an exploit for a File Upload vulnerability existed, so I entered the context of this exploit and found out what parameters I needed to execute it
I provide the asked parameters and run the script
After a while, I observed a meterpreter session was spawned, and with this, I gained a shell for the user nibbler. With this, I could continue with the rest of the process
I started making an initial port scan using
To learn more about the HTTP protocol you can go
After exploring the page, I didn't find anything relevant, the only hint the site gave me was letting me know the site was powered by the nibbleblog CMS. So, in an attempt to find out possible hidden directories or routes, I fuzzed the route with the help of and a dictionary from
After that, I explored the sections of the page searching for any possible vulnerability. As I didn't find anything at first sight, I searched if there were any possible CVEs for this CMS. After a little research, I found a with an exploit for the CVE-2015-6967 related to the CMS. That would let me abuse a File Upload vulnerability to gain a reverse shell but I needed to find first a point for uploading a file
To learn more about File Upload exploitation you can go
To do so, I could create a script for getting a Reverse Shell and upload it into this section. Also, I confirmed that the page is based on PHP with the help of , so I created a basic script in this programming language with the payload and uploaded it
To learn more about how to create a script for a Reverse Shell you can go
Unfortunately, I found a PHP file named image.php but wasn't the one I had uploaded. Maybe the name had been changed automatically inside the web service, so I tried assuming this only file was the one with my payload for the reverse shell. To confirm this, I created a listener in my machine on the same port specified in the script and then accessed the file
To learn about the sanitization process you can go
