This is my write-up for the machine Nibbles on Hack The Box located at: https://app.hackthebox.com/machines/Nibbles.

nmap: nmap 10.10.10.75

We see that 2 ports are open SSH and HTTP. Going to port 80, we see the following:

In the source code, I saw something interesting:

At this time, I had run a deeper nmap scan to see if anything was different on that scan. Fortunately, nothing was different in the deeper scan (nmap -T4 -A -v 10.10.10.75 -oN nibbles.nmap):

Going to the directory from above, we see the following:

I then ran feroxbuster on the system (feroxbuster -u http://10.10.10.75/nibbleblog/ -w directory-list-lowercase-2.3-medium.txt) to see what other directories were there. I found a lot:

Looking through the website I found the following:

I then looked up the name of the author, and this seems to be a CMS application:

I then ran git clone https://github.com/dignajar/nibbleblog.git to download the file, but I also looked on metasploit to see if there was an exploit. Turns out there was:

I then found this video write-up that made me realized my search had overlooked a crucial website: the admin login page. I looked at what software the person in the video was using, and they were using diresearch. I did the same and was able to find the page:

I now have to brute-force the username and password. I followed this website to see what parameters I needed for my Hydra command. I then ran the hydra -l admin -P rockyou.txt 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=admin&password=^PASS^:Incorrect username or password." command, and got the following:

I tried all of those passwords and came back empty. I looked at the official Hack The Box write-up and saw this:

I then had to find a way to find the password on my own by guessing. Even viewing Ippsec's attempt, we can see he randomly guesses the password to be nibbles and gets in. I then used the admin/nibbles credentials to log in:

Back to the Metasploit exploit previously mentioned, I entered the password to be nibbles and was able to get a meterpreter shell on the system:

I uploaded the php-reverse-shell from pentestmonkey online by running upload php-reverse-shell.php. I then ran netcat on another terminal and then accessed the page on a new tab:

I was logged in as nibbler. I was able to get a TTY shell by typing in bash:

There were two files:

I got the user flag:

In the nibbler account, I setup a Python http server in the home directory of nibbler. I then downloaded the personal.zip file:

When I pressed CNTRL-C to stop the http server, I had gotten out of the shell. I then had to get back in using the same php-reverse-shell as before:

In the personal.zip folder, there was a bash script. My assumption was that I was going to run the bash script on the machine. I found out I was unable to unzip the file on the machine:

In order to upload the file from my machine, I used the python3 http module to upload it:

I then ran the bash script:

I ran sudo -l to see what I have access to as the sudo user:

My guess is that I will have to edit the bash script to get to be root. After I had the TTY python shell, I was then able to unzip:

I thought about the privilege escalation to root a bit too much enough to overthink it. The solution was super simple, which the official write-up had made me realize: