HacktheBox - Nibbles Writeup

09/10/2019

Zero to OSCP Hero Writeup #9 - Nibbles

Reconnaissance

1. Nmap Scan - TCP Scan

Let's start with a TCP scan of the target ip address to determine which ports are open and which services are running on those ports:

nmap -sC -sV -oA nmap/initial.tcp 10.10.10.75

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -oA: Output the result of the scan in all formats as nmap/initial.tcp

We have port 80 and 22 open. As with most HTB machines, Port 80 is the usual route to exploiting the machine, then connecting with SSH. So lets see if there are any other ports open... 

2. Nmap Scan - All TCP Ports Scan

Okay, lets scan the entire TCP port range to confirm that there are no other ports open:

nmap -sC -sV -p- -oA nmap/full.tcp 10.10.10.75

  • -sC: Run the default nmap script scan to find potential vulnerabilities
  • -sV: Detect the service version
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

Okay, so this confirms that only TCP ports 22 and 80 are open. 

3. Nmap Scan - All UDP Ports Scan

We can do the same full port scan, but with the UDP ports:

nmap -sU -p- -oA nmap/full.udp 10.10.10.75

  • -sU: Run the scan against UDP ports
  • -p-: Run the nmap scan against all ports
  • -oA: Output the result of the scan in all formats as nmap/full.tcp

Enumeration

1. Port 80 Enumeration 

So when we first browse to 10.10.10.75, we get 'Hello World'... 

As there must be more to the webpage than that, I checked the page source...

Ah Ha! Hidden comments are not unusual for these types of boxes, and it gives us the nudge in the right direction too! lets see what /nibbleblog contains: 

Nothing really intertesting here as the links dont do anything, and nothing in the page source to help us along. 

This is where we can use tools like dirbuster/gobuster/dirb to search for any hidden files or directories, Im going to use gobuster: 

gobuster dir -u https://10.10.10.75/nibbleblog -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php

  • dir: Uses directory/file brutceforcing mode
  • -u: The target URL
  • -w: Path to the wordlist to use for the search 
  • -x: File extension(s) to search for

So there seems to be an admin login page, lets take a closer look at it: 

We need to find some valid credentials... 

After googling for nibbleblog default credentials and manually trying basic credential combinations, I found that the username and password is admin:nibbles 

After looking around the dashboard and all the different links, I wondered if there was a public exploit for this version of nibbleblog... 

1. Confirm the Nibbleblog version

To get the version, I remembered that there was a README directory found from our gobuster scan. 

https://10.10.10.75/nibbleblog/README

And sure enough, it gives us the Nibbleblog version of 4.0.3. 

It seems that there is a shell upload vulnerability for our nibbleblog version: 

Lets take a more in depth look at what this vulnerability is: 

So it exploits Nibbleblog's upload image feature as it does not check the actual file extension of 'image' uploads, meaning we can upload a php reverse shell through the image upload plugin instead of an image...Lets get to work! 

Initial Foothold - User

1. Image Upload Plugin Exploitation 

The PoC details that Admin credentials are needed for the exploit to work, thankfully we already have them! 

So the next step is to activate the My Image plugin, lets browse to it: 

https://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=list

Again, thankfully the My Image plugin is already activated! 

Click configure, and it takes us to the my image plugin page: 

So this is where we can upload our reverse shell! 

Lets now focus on configuring our reverse shell. Im going to use the default php-reverse-shell.php script that comes as default with Kali Linux and edit it accordingly: 

nano php-reverse-shell.php

We only need to change the IP address to our attacker tun0 address and a port: 

Save the script and browse back to the my image plugin page, lets try and upload the reverse shell script: 

Click 'Browse...'

Browse to the location of the php reverse shell file on our attacker machine

Click Save changes

Going back to the exploit PoC it explains that we need to ingore the warnings that appear and browse to a specific file called image.php.

Before we do this, lets start a netcat listener:

nc -lvnp 9001 

We can now browse to the specific file: 

https://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

We now have a connection on our netcat listener, we have a reverse shell on the target machine! 

Lets make the reverse shell connection fully interactive: 

https://forum.hackthebox.eu/discussion/142/obtaining-a-fully-interactive-shell

whoami&&id&&hostname

We can now grab the user flag! 

Privilege Escalation - Root

1. Checking Sudo Permissions for 'nibbler' user 

Once I have an initial foothold on a machine, the first thing I check is the current users' sudo permissions: 

sudo -l 

So there we go, nibbles is able to run montior.sh as root! 

Lets check out the /home/nibbles directory: 

So there is a personal.zip file in the home directory, which when unzipped contains the /stuff/monitor.sh script. 

But if we look at the sudo permission, it shows that the sudo is for /home/nibbler/personal/stuff/monitor.sh, not /home/nibbler/personal.zip so we can ignore the created .zip folder, and create our own /personal/stuff directory! 

mkdir -p personal/stuff

  • -p: This will create every directory in the chain

We can now create our own monitor.sh script, lets make it really simple and just spawn a bash shell as root: 

vi monitor.sh

#!/bin/sh

bash

Once the script is saved, it needs to be given executable permissions: 

chmod +x montior.sh 

sudo ./monitor.sh 

After a few seconds, we see that we are now running as root! 

whoami&&id&&hostname 

We can now grab the root flag! 

What did I learn from Nibbles?

I learned that it is a bad idea to leave comments in the website source code to hidden directories, keeping software up to date is critical and to configure sudo permissions correctly! 

Conclusion

And that is now 9 of the OSCP like boxes completed, next up - Bastard!