Nibbles
This is my write-up for the machine Nibbles on Hack The Box located at: https://app.hackthebox.com/machines/Nibbles.
nmap: nmap 10.10.10.75
We see that 2 ports are open SSH and HTTP. Going to port 80, we see the following:
In the source code, I saw something interesting:
At this time, I had run a deeper nmap scan to see if anything was different on that scan. Fortunately, nothing was different in the deeper scan (nmap -T4 -A -v 10.10.10.75 -oN nibbles.nmap
):
Going to the directory from above, we see the following:
I then ran feroxbuster on the system (feroxbuster -u http://10.10.10.75/nibbleblog/ -w directory-list-lowercase-2.3-medium.txt
) to see what other directories were there. I found a lot:
Looking through the website I found the following:
I then looked up the name of the author, and this seems to be a CMS application:
I then ran git clone https://github.com/dignajar/nibbleblog.git
to download the file, but I also looked on metasploit to see if there was an exploit. Turns out there was:
I then found this video write-up that made me realized my search had overlooked a crucial website: the admin login page. I looked at what software the person in the video was using, and they were using diresearch. I did the same and was able to find the page:
I now have to brute-force the username and password. I followed this website to see what parameters I needed for my Hydra command. I then ran the hydra -l admin -P rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=admin&password=^PASS^:Incorrect username or password."
command, and got the following:
I tried all of those passwords and came back empty. I looked at the official Hack The Box write-up and saw this:
I then had to find a way to find the password on my own by guessing. Even viewing Ippsec's attempt, we can see he randomly guesses the password to be nibbles and gets in. I then used the admin/nibbles credentials to log in:
Back to the Metasploit exploit previously mentioned, I entered the password to be nibbles and was able to get a meterpreter shell on the system:
I uploaded the php-reverse-shell from pentestmonkey online by running upload php-reverse-shell.php
. I then ran netcat on another terminal and then accessed the page on a new tab:
I was logged in as nibbler. I was able to get a TTY shell by typing in bash:
There were two files:
I got the user flag:
In the nibbler account, I setup a Python http server in the home directory of nibbler. I then downloaded the personal.zip file:
When I pressed CNTRL-C to stop the http server, I had gotten out of the shell. I then had to get back in using the same php-reverse-shell as before:
In the personal.zip folder, there was a bash script. My assumption was that I was going to run the bash script on the machine. I found out I was unable to unzip the file on the machine:
In order to upload the file from my machine, I used the python3 http module to upload it:
I then ran the bash script:
I ran sudo -l
to see what I have access to as the sudo user:
My guess is that I will have to edit the bash script to get to be root. After I had the TTY python shell, I was then able to unzip:
I thought about the privilege escalation to root a bit too much enough to overthink it. The solution was super simple, which the official write-up had made me realize:
Last updated