Whitelist

Wednesday, March 13, 2019

Nibbles

NIBBLES

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Nibbles, what is a retired machine from the Hack the Box pentesting platform:

https://www.hackthebox.eu

2 - ENUMERATION

- Nibbles machines's IP is 10.10.10.75:

- Scanning with Nmap, there are just two open ports 22 and 80:

- Scanning deeper:

- Browsing the web page:

- Viewing the source it seems that there is a folder called /nibbleblog:

- Same result with curl:

- Connecting to /nibbleblog it results to be a blogging platform:

- Dirbusting /nibbleblog:

- Dirbusting for files with extensions .php:

- So we have found directories like /admin, /content, /languages and files like admin.php, feed.php, install.php, sitemap.php, update.php

- Let's examine some of the files and directories found with dirb.

- admin.php provides a login form:

- feed.php:

- install.php:

- update.php show that the version used is Nibbleblog 4.0.3 "Coffee":

- sitemap.php:

- /content:

- Going to /nibbleblog/content/private/users.xml we find the username admin:

- /languages:

3 - EXPLOITATION

- CVE-2015-6967 informs about the vulnerability found at Nibbleblog for versions before 4.0.5 (as seen before Nibbles uses versions 4.0.3):

- Metasploit provides a module to exploit this vulnerability:

- Using this module we get a Meterpreter session, passing the parameters username admin (discovered at users.xml) and password nibbles (just guessed):

- Getting a shell:

4 - CAPTURING THE 1st FLAG

- Reading user.txt:

5 - PRIVILEGE ESCALATION

- As expected, access to /root is denied:

- User nibbler has got sudoer privileges over the file monitor.sh:

- There is a file personal.zip at nibblers home folder:

- Unzipping personal.zip we locate monitor.sh (run with root privileges) inside directory /personal/stuff:

- Reading monitor.sh, it seems a script for managing different aspects of nibbles:

- So the privilege escalation plan will be to re-write monitor.sh with some type of backdoor, for instance this one created with Msfvenom:

- Echoing the backdoor to monitor.sh:

- Setting a Netcat listening session at Kali's port 1234:

- Running monitor.sh at nibbles:

- The consequence is a reverse root shell at Kali:

6 - CAPTURING THE 2nd FLAG

- Reading root.txt:

Tuesday, February 5, 2019

Shocker

SHOCKER

- Layout for this exercise:

1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Shocker, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu

2 - ENUMERATION

- Shocker's IP is 10.10.10.56:

- Scanning with Nmap:

- Scanning deeper ports 80 and 2222:

- Connecting with the browser:

- Dirbusting the web server we find a /cgi-bin folder:

- Dirbusting specifically /cgi-bi for extensions .php, .txt and .sh:

- Downloading user.sh:

3 - EXPLOITATION

- The vulnerability CVE-2014-6271 explains how to exploit the mod_cgi and mod_cgid modules in the Apache HTTP Server:

- We will follow to ways to exploit the vulnerable machine Shocker:

3.1 - Python exploit

- This Python exploit provides a remote shell, just setting up some parameters as explained at the instructions:

https://www.exploit-db.com/exploits/34900