Nibbles HTB Walkthrough

Hello Everyone. This is my writeup for the machine Nibbles in HackTheBox.

First step is to perform scanning and enumeration using nmap :

nmap -Pn -T4 -p- -A 10.10.10.75

-Pn : Disables host discovery which is enabled by default

-T4: Faster scan time

-A: Enables OS and version detection, scans ports using common nmap scripts for specific vulnerabilities and performs traceroute.

We can see that there are 2 open ports: 22 (ssh) and 80 (http).

We have a higher chance of finding a vulnerability in port 80, so we will start enumerating it first.

Let’s perform a nikto scan first.

nikto -h 10.10.10.75 -p 80

Meanwhile, let’s try finding some quick wins by browsing http://10.10.10.75/.

Although the nikto scan did not reveal anything useful, looks like the web developer has a directory path mentioned as an html comment.

As we attempt to browse /nibbleblog/ web directory, we come across a web blog as shown below.

Now we have enough information to perform directory search using dirb.

dirb http://10.10.10.75/nibbleblog/ /usr/share/wordlists/dirb/common.txt

A quick directory search reveal the following web pages.

http://10.10.10.75/nibbleblog/admin/

http://10.10.10.75/nibbleblog/admin.php

http://10.10.10.75/nibbleblog/content/

http://10.10.10.75/nibbleblog/index.php

http://10.10.10.75/nibbleblog/languages/

http://10.10.10.75/nibbleblog/plugins/

http://10.10.10.75/nibbleblog/README

http://10.10.10.75/nibbleblog/themes/

As we browse the above web pages one by one, we come across something interesting.

We have found a web admin login page. Let’s try and see if a common username/password pair works or not.

admin admin — not working

admin nibbles — worked!

Great, so now we can enumerate the services running as part of the web page and try finding potential exploits.

While browsing the Settings tab, we come across a good example of information disclosure.

Let’s perform a simple google search to see if anything interesting pops up.

And look what we found.

We can follow the above steps one by one.

Let’s have our php reverse shell file ready by going to /usr/share/webshells/php/

Add your ip address and the port you will use to listen for incoming connection.

Following is a screenshot of how the tag will look after you upload your php shell.

Open a netcat listener using the following command:

nc -lvp 4444 (Use the port you mentioned in your php reverse shell file)

We will go the the directory as mentioned in the exploit page.

Click on image.php file. We should have a reverse shell as shown below.

Let’s get a tty shell using /bin/bash -i so that we have a stable connection.

We found some basic information about our current user and the current directory that we are in using whoami and pwd.

Let us browse the home directory and check if we are able to find the user flag.

As we can see above, we found the user flag under /home/nibbler directory. We still do not have root user access, so let’s enumerate some more.

id command reveals that user nibbler is part of a separate user group.

Let’s try sudo -l to see if nibbler has sudo privileges and if it does, what tasks can be particularly done.

We can see that nibbler can run monitor.sh file as a root user without asking for any password.

This is a quick win, but we only saw personal.zip under /home/nibbler.

A simple unzip command should open up all the sub-directories under /personal.

Now we can check the contents of monitor.sh file and check file permissions.

We can see that monitor.sh is a bash script that checks the health of the linux server. We also have permission to execute this script.

Let’s perform 2 small edits to this file.

First clear the file contents using > monitor.sh command.

Then add #! /bin/bash using echo as the first line and bash as the second line.

echo #! /bin/bash > monitor.sh

echo bash >> monitor.sh

After editing, we run the script as follows:

sudo ./monitor.sh

We are root now! Let’s get the root flag by browsing the /root directory.

There are a lot of post exploitation steps that can be performed as root, such as getting password hashes from /etc/shadow and cracking them using hashcat, john, or another tool.