#2 — OSCP prep: HTB — Nibbles

My walkthrough of a Hack The Box retired machine.

Machine: Nibbles
IP: 10.129.202.148
OS: Linux
Difficulty: Easy

Reconnaissance

Let’s first start off by doing a Nmap scan on the target machine to find out which ports are open and what services are running on those ports.

SYNTAX:
sudo nmap -T4 -v -p- 10.129.202.148
sudo nmap -T4 -sC -sV -p22,80 -oN nmap_nibbles.txt 10.129.202.148

Figure 1.0 — Nmap port scan results

From the nmap scan, we find that port 80 is open. Let’s head over to the website and see what kind of information we can find.

There is nothing but “Hello world!” text on the index page of the website. However, checking the source code reveals a hidden directory.

Figure 1.1 — Index page source code

Upon navigation to this poorly hidden nibbleblog/ directory, we are presented with a blog.

Figure 1.2 — Blog page found

There’s nothing useful for us on this blog, so let’s look for other directories and files using Gobuster.

SYNTAX:
gobuster dir -u <target URL> -w <wordlist> -x <extensions>

Figure 1.3 — Gobuster scan results

There is information about the current Nibbleblog version being used, which is Nibbleblog 4.0.3, that is being exposed at nibbleblog/update.php.

Figure 1.4 — Information disclosure

An admin login page was also found at nibbleblog/admin.php.

Figure 1.5 — Admin login page

I was able to successfully blind log in by using the credentials “admin:nibbles”. The username admin is very common, so I tried a couple of passwords such as admin, nibbleblog, nibble, and got lucky with nibbles. Upon successful log in, I was greeted with a management dashboard for Nibbleblog.

Figure 1.6 — Nibbleblog dashboard

Using the previous information found about the current Nibbleblog version, I was able to find CVE-2015–6967, which allows unrestricted file uploads and remote code execution.

Figure 1.7 — CVE-2015–6967

Initial Access Into The System

I used the My Image plugin to upload a PHP reverse shell called shell.php, and according to the CVE-2015–6967 description, this file should be accessible at content/private/plugins/my_image.

Figure 1.8 — Image upload page

I navigated to the directory of our uploaded PHP reverse shell file and started up a netcat listener. All we need to do now is access the file, and we should get a shell! We’ve now gained our initial access into the system.

Figure 1.9 — Getting a shell

Figure 2.0 — User flag

Privilege Escalation

Now that we’ve gained user access into the system, let’s try to escalate our privileges and gain root access.

However, before moving on, let’s improve our shell.

Figure 2.1 — Improving our shell

When I first get a shell on a system, I always check to see if I can run commands with sudo. It seems that we can use a specific path to run a monitor.sh shell script file with sudo and no password as root.

Figure 2.2 — Checking sudo privileges

Let’s modify the shell script file to simply call /bin/bash -p .

Figure 2.3 — Modifying the shell script file

Let’s now run sudo /home/nibbler/personal/stuff/monitor.sh and see what happens.

Figure 2.4 — Becoming root

We successfully gained root access to the system!

Figure 2.5 — Root flag

See you on the other side coop.