HTB - Nibbles
Overview
Nibbles was the first easy HTB target that I pwned, and probably the majority of HTB users as well, as it was used as an example at the Penetration Test job path.
Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.
1. Information Gathering
What we know beforehand:
- Target’s IP address.
- Targets OS: Linux.
- The room focus on web app testing.
Checklist:
- 1 Port scanning
- 2 Banner Grabbing
Port scanning
![Nmap scan results](/assets/htb/fullpwn/nibbles/nmap-scan.png)
Banner grabbing
![Banner grabbing with netcat](/assets/htb/fullpwn/nibbles/banner_grabbing.png)
Next steps
- Web enumeration
- SSH credentials
2. Web enumeration
Checklist:
- 1 Check tools used
- 1.1 Wappalyzer
- 1.2
whatweb
- 2 View page source
- 2.1 Enumerate
/nibbleblog
dir & search public exploits- 2.1.1 CVE-2015-6967
works on < 4.0.5
- 2.1.2 Metasploit module tested on 4.0.3
works on 4.0.3 & needs valid creds –>
image.php
cleanup error
- 2.1.1 CVE-2015-6967
- 2.1 Enumerate
- 3 Dir-busting
- 3.1 Enumerate subdirectories
- 4 Upload a PHP reverse shell directly on
My Image
plugin.
Checking technologies
![Wappalyzer technologies](/assets/htb/fullpwn/nibbles/wappalyzer.png)
![whatweb technologies](/assets/htb/fullpwn/nibbles/whatweb.png)
Viewing page source
![Homepage's page source](/assets/htb/fullpwn/nibbles/web_server_page_source.png)
Add to checklist: Enumerate
/nibbleblog
dir & search public exploits.
Searching for public exploits
![Nibbleblog public exploit](/assets/htb/fullpwn/nibbles/public_exploit.png)
CVE-2015-6967: Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php.
Metasploit module
![Metasploit module options](/assets/htb/fullpwn/nibbles/msf_exploit.png)
![Metasploit module options](/assets/htb/fullpwn/nibbles/msf_exploit_options.png)
Dir-busting
![Gobuster's scan results](/assets/htb/fullpwn/nibbles/gobuster-scan.png)
Enumerating subdirectories
![README subdirectory-Nibbleblog's version](/assets/htb/fullpwn/nibbles/nibbleblog_version.png)
Nibbleblog v4.0.3 –> Metasploit module, need to find creds.
![content subdirectory-users.xml file](/assets/htb/fullpwn/nibbles/users_xml.png)
Username,
admin
, obtained, still missing password for Logging in & Metasploit. After trying several passwords,admin:nibbles
works.
Metasploit’s module erroring
![Metasploit error message](/assets/htb/fullpwn/nibbles/msf_manual_cleanup.png)
MSF error: tried re-installing
My Image
plugin, and althoughimage.php
is not there, still same error.
Uplading a PHP reverse shell
![My Image plugin configurations](/assets/htb/fullpwn/nibbles/my_img_plugin_config.png)
![Shell upload](/assets/htb/fullpwn/nibbles/shell_upload.png)
![Reverse shell obtained](/assets/htb/fullpwn/nibbles/revshell_success.png)
3. Initial Foothold
Checklist:
- 1 Stabilize shell
- 2 Search for
user.txt
- 3 Check current user’s privileges
Stabilizing shell & searching for user.txt
![Upgrading revese shell and getting user flag](/assets/htb/fullpwn/nibbles/upgrading_shell_user_flag.jpg)
Checking current user’s privs
![Checking current user's privileges](/assets/htb/fullpwn/nibbles/sudo_l.png)
nibbles
can runmonitor.sh
asroot
with no pass. Exploit it to get a root shell.
4. Privilege Escalation
Checklist:
- 1 Try to exploit
monitor.sh
- 2 Search for
root.txt
Exploiting monitor.sh
![Personal_zip file](/assets/htb/fullpwn/nibbles/personal_zip.png)
![Checking script's permissions](/assets/htb/fullpwn/nibbles/script_perms.png)
![Adding root shell code](/assets/htb/fullpwn/nibbles/root_shell_code.png)
Searching for root.txt
![Getting root shell and root.txt](/assets/htb/fullpwn/nibbles/root_shell_root_txt.jpg)
![Nibbles machine pwnd](/assets/htb/fullpwn/nibbles/nibbles.png)