NIBBLE WRITEUP-HTB

This write-up is for the hackthebox Nibble machine. This box can be solved by either manual procedure or by using Metasploit. I have follow the Manual procedure.

IP address of the machine is : 10.10.10.75

Step1: RECON

Used nmap scan nmap -sV -sC -T4 -p- -oA nmap10.10.10.75

where sV for version ,sC for default scripts, p for ports ,oA for outputs for nmap folder & T4 for increasing scanning speed.

You can visit the nmap for other command details.

Recon Results Analysis

NMap scan found Apache version 2.4.18 running on HTTP port 80. It also found SSH port 22 open as well.

Enumeration

Let’s start by inspecting what’s running on port 80. It shows the following page.

Always look into View page source if you Not found suspicious anything & i have found a directory address.

• Open the web page.
  • Whenever its displaying web page & you don’t find anything try to check the source code.
  • A directory is displaying /nibbleblog.
  • Again check the source code.

• A new directory /admin. Nothing found only admin page.
  • NOthing look vulnerable make a google search nibbleblog.
  • Found all details but nothing special.

When nothing found anything , do a Dirbuster or gobuster for directory enumeration.

gobuster -u http://10.10.10.56:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

Nothing found by this wordlist. Pause this step as taking longer time will use other wordlist if not find anything from manual approach. Till only the directory of admin which i have already posted found.

• As this page have some login & logout functionality. So looking for some login page.
  • Search vulnerability for nibbleblog in metasploit.

• As password & username is required so can’t exploit this time but it confirm my hints as there is some login page .
• And till now no idea about the version of nibbleblog & exploit is only available for 4.0.3v of nibbleblog.
• Search nibbleblog github & found something interesting.

Look it have index.php . As admin.php page is different we found on the web page.

So finally got login page http://10.10.10.75/nibbleblog/admin.php

• Tried Hydra but hydra takes times when you don’t know username & password. So always look for other time saving approach & if not again will use hydra for this.
• Have make a search nibble default password & found username:admin & password:nibbles

After successful login using username : admin & password: nibbles

As seen the version 4.0.3 . In Metasploit exploit is also available.

• PUblic exploit is also available i.e File load Vulnerability.
  • For public exploit “https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html” — Here i have found the section to vulnerability.

As now according to above , time to search image plugin section

• As according to exploit , upload Php shell .
  • For php shell visit “https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php”
• Only replace ip with your ip & port as you wish .

• on parallel make a connection using netcat.
• Once file get upload , its look like something.

• Look again to the public exploit code.
• Search /nibblebolog/content/private/my_image/image.php & check whether you are able to get connection on netcat or not. If not check the ip & directory properly.

image.php is the uploaded php shell.

Check out the netcat.

locate user.txt & cat user.txt for the first flag
• a222394700d1260e5f004a4641d9083d — -first flag

Privilege Escalation

Its time to attempt privilege escalation to get the root flag. The key piece of information the low-privileged shell is that the nibbler user can execute a file named monitor.sh located in /home/nibbler/personal/stuff folder as root without requiring the root password.

Here after this two main approach are there . Either you can upgrade to an interactive tty shell or continue with the same.

As i have continued with the same as i was able to run all commands .If you have confusion when to upgrade or not . Check out the below links & in the below links other some useful links are also linked.

Upgrading Simple Shells to Fully Interactive TTYs

Do cd/home & you will find two files .

unzip the personal.zip

cat the monitor.sh . Not looks vulnerable. If some how we can run own bash script . We can get the code.

• Above we are just trying to get bash shell & \n is for next line & execute monitor.sh .
  • after that do sudo -u root ./monitor.sh .

• You can see showing connection timeout but check id .You are root now.
  • cat the /root/root.txt & get the flag.

Conclusion & learning:

1. Try to find out the manual the approach always as automation approach is always there to help out.
2. Used githhub more for the recon .
3. Privilege escalation.

As it is my first box pwned at htb platform & also the first writeup.

I’m hoping to knock out a few more boxes during my lab access, so stay tuned.

If you have any suggestions for interesting boxes, or ones that would make a good write-up, then let me know.