Nibbles HTB Writeup w/o Metasploit

Welcome! This next HTB machine were pwning is called Nibbles. This is the fourth box were completing in preperation for the OSCP. This box is ranked easy so the process of exploiting this one should be straight forward.

Let’s get started.

Enumeration

First we run our nmap scan to see what services are running on the machine. Remember enumeration is the most important part of ethical hacking so we need to be thorough.

So I ran my initial nmap scan as

nmap -A 10.129.169.86

  • -A Enable OS detection, version detection, script scanning, and traceroute.

note: I was having vpn issues so I had to keep changing regions in HTB. That is why the IP is different in the screenshot.

Looks like port 80 is open so lets enumerate that service further. Let’s start by opening up our browser to see what is on the webpage.

Nothing but “Hello world!”. Going to inspect the source code to see what we find.

The source code includes another directory named “/nibbleblog/” in a comment. Going to run nikto against it to see what we find.

The scan results reference OSVDB-29786. Looks like there is a nibbleblog/admin.php?. That could be the login page to the admin portal so I’m going to check that out.

Ahh looks like there is an admin portal. I checked the internet for default credentials and I couldn’t really find anything. I’m going to try a few simple credentials to see if they work. admin:admin, admin:password, admin:nibbles…

Looks like admin:nibbles worked. Lucky guess on my part but that was a pretty weak password. Trying to bruteforce using hydra would have been my next attempt had those credentials not worked but none of my password lists would have included nibbles so I’m glad I got in through guessing.

Okay, so now that we have access to the admin portal lets see if we can upload a reverse shell. Let’s see if we can find anything on google.

I found this blog that explains how we can get a reverse shell uploaded through a vulnerabilty in the my_image plugin on nibbleblog. According to this blog you only need the admin credentials which we have.

First I am going to go to pentestmonkey to download a php reverse shell.

Reverse shell downloaded. Now I have to change the source IP and PORT on the script to make sure we call back to the correct IP and PORT. Also be sure to name the reverse shell image.php as instructed in the blog we found above.

Now let’s go to the image plugin and upload our shell.

Shell uploaded. Ignoring the warnings. Now let’s travel to the path in step 4 above to run the shell.

Okay so I confirmed the shell has been uploaded. So now I set up a listener using the following command.

nc -nlvp 4444

Now once I click on the link image.php our shell should spawn.

Okay boom I have a shell. This shell is restricted as it mentions “can’t access tty”.

So we’re going to need to upgrade to a fully interactive shell. There are plenty of posts on google that outline this process but unfortunately it took a while to figure out a process that worked for me.

note: I was having issues with this until I found this helpful comment on a forum.

Here are the steps.

In your current shell run the following command to spawn bash with python.

Then background your remote shell using CTRL+Z.

Next, get the ROWS and COLUMNS within your current header by ruuning the following command.

After that you need to run the following to ignore hotkeys in the local shell and get back to the remote shell in the background using “fg”.

Then you want to set the correct size for the remote shell using the number of ROWS and COLUMNS listed after running stty -a

Next, this command adds color.

Finally, reload bash to apply the $TERM variable.

Now, I have a fully interactive shell. I’m going to cat the user.txt file.

Now, lets figure out what privileges we have by running sudo-l

Looks like I have access to the monitor.sh script. I’m going to see if I can read the contents.

Okay, so it doesn’t exist. I should be able to create a file named monitor.sh and run a bash shell as a root user.

First I’m going to create the /home/nibbler/personal/stuff directory and pivot into it.

Then I’m going to create monitor.sh and add the following code to it.

#!/bin/sh

bash

Next, I need to give monitor.sh execute privileges by running the following command.

Now we can run monitor.sh with sudo since we have root privileges for monitor.sh

Perfect we’ve successfully escalated our privileges.

Lastly, we can read the root flag and this box is complete.

Lessons Learned

This box was actually pretty challenging. Initially, I struggled with upgrading to a fully interactive shell so I’m happy I was able to learn a way around that. I also learned more about priv esc for linux environments. There was a lot of trial and error completing this box which taught me everything isn’t always going to work on the first try. This was a little time consuming without metasploit but overall I had fun finding a workaround and I wouldn’t have had it any other way. 4th box down. Let’s GOOO !

mastering the craft of ethical hacking