Post

HTB - Nibbles

Posted Updated
Preview Image
By Charalampos Spanias 1 min read

Overview

Nibbles was the first easy HTB target that I pwned, and probably the majority of HTB users as well, as it was used as an example at the Penetration Test job path.

Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.

1. Information Gathering

What we know beforehand:

  1. Target’s IP address.
  2. Targets OS: Linux.
  3. The room focus on web app testing.

Checklist:

  • 1 Port scanning
  • 2 Banner Grabbing

Port scanning

Nmap scan results
Banner grabbing with netcat

Next steps

  1. Web enumeration
  2. SSH credentials

2. Web enumeration

Checklist:

  • 1 Check tools used
    • 1.1 Wappalyzer
    • 1.2 whatweb
  • 2 View page source
    • 2.1 Enumerate /nibbleblog dir & search public exploits
      • 2.1.2 Metasploit module tested on 4.0.3

        works on 4.0.3 & needs valid creds –> image.php cleanup error

  • 3 Dir-busting
    • 3.1 Enumerate subdirectories
  • 4 Upload a PHP reverse shell directly on My Image plugin.

Checking technologies

Wappalyzer technologies
whatweb technologies

Viewing page source

Homepage's page source

Add to checklist: Enumerate /nibbleblog dir & search public exploits.

Searching for public exploits

Nibbleblog public exploit

CVE-2015-6967: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.

Metasploit module

Metasploit module options
Metasploit module options

Dir-busting

Gobuster's scan results

Enumerating subdirectories

README subdirectory-Nibbleblog's version

Nibbleblog v4.0.3 –> Metasploit module, need to find creds.

content subdirectory-users.xml file

Username, admin, obtained, still missing password for Logging in & Metasploit. After trying several passwords, admin:nibbles works.

Metasploit’s module erroring

Metasploit error message

MSF error: tried re-installing My Image plugin, and although image.php is not there, still same error.

Uplading a PHP reverse shell

My Image plugin configurations
Shell upload
Reverse shell obtained

3. Initial Foothold

Checklist:

  • 1 Stabilize shell
  • 2 Search for user.txt
  • 3 Check current user’s privileges

Stabilizing shell & searching for user.txt

Upgrading revese shell and getting user flag

Checking current user’s privs

Checking current user's privileges

nibbles can run monitor.sh as root with no pass. Exploit it to get a root shell.

4. Privilege Escalation

Checklist:

  • 1 Try to exploit monitor.sh
  • 2 Search for root.txt

Exploiting monitor.sh

Personal_zip file
Checking script's permissions
Adding root shell code

Searching for root.txt

Getting root shell and root.txt
Nibbles machine pwnd
CTF, Fullpwn
htb hackthebox nibbleblog http nc nmap wappalyzer whatweb gobuster cve-2015-6967 metasploit php rce webshell
This post is licensed under CC BY 4.0 by the author.