HTB - Nibbles
Linux | Nibbleblog
Tools For This Room
Pentest monkey's PHP Reverse Shell - commonly used reverse shell - download it here
TL;DR / Executive Summary
Scan and enumerate with nmap and gobuster
Gain foothold with easily guessed but relevant password
Privesc by overwriting file with sudo permission
Scanning & Enumeration
The fun and games start off with nmap and gobuster scans.
nmap
nmap -sV -sC -vv <IP>We get the following ports open: 22: SSH 80: HTTP
Let's check out what's at port80. We're greeted with a simple "Hello world!"
Maybe its page source may have interesting details.
Looks like it's yielded a directory called /nibbleblog/. It even tells us that there's nothing interesting here!
Delving into the /nibbleblog/ directory gives us this page:
gobuster
Now to perform a gobuster scan on the /nibbleblog directory.
gobuster dir -u http://<IP>/nibbleblog/ -w <wordlist>We get quite a few interesting directories to check out:
The /README provides a wealth of information.
Now that we know the version of Nibbleblog here, we can search for an exploit. Let's try exploit-db's command line search tool - Searchsploit.
Unfortunately, the only result requires Metasploit and we're trying to exploit this room manually. Maybe Google can provide a suitable alternative.
The first result looks promising. Upon digging into Packet Storm's post, we find that we can upload a php file to get a reverse shell. The catch - we need valid credentials to login first.
Gaining Foothold
We find the login page at /admin.php. While we did get a possible username from /README in the form of "Diego Najar", and could potentially try to brute force the credentials with Hydra, we should try some simple combos first.
Permutations of words such as "admin", "password", "123456", and the room's name occasionally work, and save us a lot of time. Although it is uncommon, we get lucky in this room and "admin/nibbles" logs us in.
We navigate to the "Plugins" section, and look for "My image", then we upload a .php reverse shell. In this case, let's use Pentestmonkey's.
As with external/foreign scripts, we should always read through and understand how they work. In this case, we need to set our IP and port.
Once we've uploaded our reverse shell, we need to find it to trigger it. The second Google result gives us the exact pathway to our file: nibbleblog/content/private/plugins/myimage However, if we didn't come across this result, we could perform further directory enumeration with gobuster, and the logical directory to target would be /content. From there, we'd find the /private directory, then /plugins, and finally /my_image.
Before we trigger our upload, we set up a netcat listener:
nc -lvnp 4444Now we click image.php and we get our reverse shell:
Initially, it appears we can't upgrade out shell.
However, this is due to the python version. Let's check what version of python is running, and configure our command accordingly:
We use the which command to find the python version available, which is python3 in this case. Then we run the upgrade commands as usual:
python3 -c 'import pty;pty.spawn("/bin/bash")'
// ctrl + z //
stty raw -echo && fg
export TERM=xtermNow we hop over to nibbler's directory and get our user.txt:
Privilege Escalation
We run the usual array of simple privesc checks such as history, SUID, etc. But it's with "sudo -l" to find what commands we can run as sudo that we get something interesting in the form of "/home/nibbler/personal/stuff/monitor.sh".
Trying to navigate to it fails, and this is because the personal file is zipped. Let's unzip it and check out monitor.sh.
unzip personal.zipAs the filetype implies, monitor.sh is a script, and checking its permissions shows that we can write to it.
Let's overwrite its contents to grant us root access:
nano monitor.sh
// delete contents //
#!/bin/sh
bashOnce we've saved the file, we execute it:
sudo ./monitor.shWe are granted root access!
Let's get the flag and wrap it up.
Alternative:
If we didn't want to go through the hassle of unzipping the personal file and overwriting monitor.sh, we could have simply created the directory and file. This method was found in Rana Khalil's walkthrough.
Last updated
Was this helpful?