#2 — OSCP prep: HTB — Nibbles
My walkthrough of a Hack The Box retired machine.
Machine: Nibbles
IP: 10.129.202.148
OS: Linux
Difficulty: Easy
Reconnaissance
Let’s first start off by doing a Nmap scan on the target machine to find out which ports are open and what services are running on those ports.
SYNTAX:
sudo nmap -T4 -v -p- 10.129.202.148
sudo nmap -T4 -sC -sV -p22,80 -oN nmap_nibbles.txt 10.129.202.148
From the nmap scan, we find that port 80 is open. Let’s head over to the website and see what kind of information we can find.
There is nothing but “Hello world!” text on the index page of the website. However, checking the source code reveals a hidden directory.
Upon navigation to this poorly hidden nibbleblog/ directory, we are presented with a blog.
There’s nothing useful for us on this blog, so let’s look for other directories and files using Gobuster.
SYNTAX:
gobuster dir -u <target URL> -w <wordlist> -x <extensions>
There is information about the current Nibbleblog version being used, which is Nibbleblog 4.0.3, that is being exposed at nibbleblog/update.php.
An admin login page was also found at nibbleblog/admin.php.
I was able to successfully blind log in by using the credentials “admin:nibbles”. The username admin is very common, so I tried a couple of passwords such as admin, nibbleblog, nibble, and got lucky with nibbles. Upon successful log in, I was greeted with a management dashboard for Nibbleblog.
Using the previous information found about the current Nibbleblog version, I was able to find CVE-2015–6967, which allows unrestricted file uploads and remote code execution.
Initial Access Into The System
I used the My Image plugin to upload a PHP reverse shell called shell.php, and according to the CVE-2015–6967 description, this file should be accessible at content/private/plugins/my_image.
I navigated to the directory of our uploaded PHP reverse shell file and started up a netcat listener. All we need to do now is access the file, and we should get a shell! We’ve now gained our initial access into the system.
Privilege Escalation
Now that we’ve gained user access into the system, let’s try to escalate our privileges and gain root access.
However, before moving on, let’s improve our shell.
When I first get a shell on a system, I always check to see if I can run commands with sudo
. It seems that we can use a specific path to run a monitor.sh shell script file with sudo and no password as root.
Let’s modify the shell script file to simply call /bin/bash -p
.
Let’s now run sudo /home/nibbler/personal/stuff/monitor.sh
and see what happens.
We successfully gained root access to the system!