Nibbles | HTB | Write-up without Metasploit

Nibbles is a retired box on HackTheBox. It is mentioned in the TJ_Null’s list of OSCP like VMs. So, let us get started.

SCANNING :

nmap <IP>

A quick nmap scan reveals port 22 and 80 are open.

nmap -sV <IP>

Service version scan reveals OpenSSH 7.2p2 is running on port 22 and Apache httpd 2.14.18 on port 80.

ENUMERATION :

Since HTTP has a large attack vector, let us begin with that.

If I hit the IP in my browser, the below page shows up.

It just says Hello world!. Nothing interesting. Well, let us check the source of this page.

This certainly is interesting. If I move over to /nibbleblog/ directory, the below page shows up.

Seems Nibbleblog CMS is running on the server.

EXPLOITATION :

After a google search, I found Nibbleblog 4.0.3 suffers from code execution vulnerability via an image upload functionality. However, the catch is that I need the admin credentials for exploiting this vulnerability, but I do not have it. You can learn more about the vulnerability here.

The admin login page is at /nibbleblog/admin.php.

Since I do not see any other way to get beyond admin authentication, I guess the credentials must be very simple (like default credentials).

I tried the following combinations:

admin:admin

admin:password

root:root

root:password

nibbles:nibbles

nibbles:password

admin:nibbles

root:nibbles

Lucky for us, the admin:nibbles worked and I got admin panel.

Now, I just need to configure My image plugin to upload a php reverse shell. I am using Pentester Monkey’s php-reverse-shell. You can find it here. Remember to change the IP and port of your choice.

Move to /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image and upload the php reverse shell that you configured.

Ignore the warnings for now.

Now set up a netcat listener on the port you provided and on the browser move to /nibbleblog/content/private/plugins/my_image/image.php. Luckily you should get a shell.

I got shell as nibbler user.

PRIVILEGE ESCALATION :

Let us check what sudo rights nibbler user has (if any).

sudo -l

Nibbler can run /monitor/stuff/monitor.sh as root without any password.

But if I look at the files in the home directory, there is only a zip file. Let us unzip it and see what is there.

Now there is the monitor.sh bash script file. Since I can run the file as root and write to this file, I do not care what is in there. I will overwrite it and include my bash command.

echo ‘#!/bin/bash

>

> /bin/bash’ > personal/stuff/monitor.sh

Fingers crossed. Now just run the script with sudo.

We are root!!

So, that was the Nibbles box from HackTheBox. Hope you liked it :)

Thank You for reading this writeup. See you again in the next one. Peace.