HTB - Nibbles Writeup

Featured image

Initial Enumeration

1.Nmap Scanning

Starting with a scan of the target ip address:

nmap -sC -sV -oA nibbles.nmap 10.10.10.75

We can see 22 and 80 are open. Let’s navigate to the web browser and access the webpage on port 80.

Directory Enumeration

Looking at the source code of the index.html, we can see a command referencing a directory named “/nibbleblog/”.

So let’s run gobuster in that directory to enumerate further. The following command will do the trick:

gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php

Note the /admin.php file. Accessing it, it appears to be an admin login page. Looking up default nibbleblog credentials and trying them manually actually works. The username admin:nibbles worked for me.

Let’s enumerate some more and look into possible exploits available for nibbleblog. There is a file named README that our gobuster found.

Visiting that shows us the current nibble version is 4.0.3.

Next, we run searchsploit to look for any nibbleblog exploits. That turns up a shell upload vulnerability. Meaning nibbleblog’s upload feature doesn’t actually check the file extension of image uploads. We can exploit this by uploading a reverse php shell using the upload plugin instead of an image.

Exploitation

Payload Generation

I’m going to use the default php-reverse-shell.php script that comes with Kali and edit the $ip and $port.

Let’s also navigate to the image upload plugin and have a look at where we’ll be uploading this script.

Uploading Payload

I set up a netcat listener and upload the malicious file.

From there, I will want to browse to the specific file at:

http://10.10.10.75/nibbleblog/content/private/plugins/image.php

And now we have a reverse shell to the target machine.

To make the reverse connection fully interactive you follow the below steps:

obtaining-a-fully-interactive-shell

We can then see we’re under the nibbler account and the user flag is under /home/nibbler/user.txt

Privilege Escalation

Running sudo -l reveals an entry for /home/nibbler/personal/stuff/monitor.sh. However, this file does not exist so it should be possible for us to create a bash script and run it as root.

The script looks something like this. Super simple.

Change it into an executable and run it with sudo.

And we have a root terminal from here we can simply find the root.txt file and finish the box.

root.txt can be found in the /root directory.