Skip to main content
d3vyce Blog
  1. writeup-ctf/

Writeup - Nibbles (HTB)

·386 words·2 mins·
d3vyce
Author
d3vyce
Cybersecurity, Devops, Infrastructure
Table of Contents

This is a writeup for the Nibbles machine from the HackTheBox site.

Enumeration
#

First, let’s start with a scan of our target with the following command:

nmap -sV -T4 -Pn 10.10.11.146

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.2p2)
  • 80/tcp : HTTP web server (Apache 2.4.18)

Exploit
#

Looking at the source code of the web page I found the following comment:

<!-- /nibbleblog/ directory. Nothing interesting here! -->

So I go to this new page:

I then search the pages present on the site with ffuf.

One page is particularly interesting: admin.

So I try to brute force the password of the admin user with the hydra command.

Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials: admin/nibbles.

It’s good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: brute force version.

I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images.

So I try to send a reverse shell in php, then I go to the following link to execute it:

10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

I now have a reverse shell as a nibbler and I can get the first flag.

Privilege escalation
#

I start by checking the sudo permissions of my user:

I find it in my personal folder a .zip file, I unzip it :

The script can be modified by myself and can be executed as root. I put the following content in the script monitor.sh :

mkdir /root/.ssh
touch /root/.ssh/authorized_keys
echo 'id_rsa' > /root/.ssh/authorized_keys

This will create the SSH folder of the root user and then add my key in the authorized_keys. To execute the script I use the following command:

sudo -n ./monitor.sh

I can now log in as root and get the last flag.

Recommendations
#

To patch this host I think it would be necessary to perform a number of actions:

  • Do not leave important comments in HTML code
  • Update NibbleBlog to fix file upload problem
  • Do not let user-modifiable scripts be executed by the root user

Related

Writeup - Tech_Supp0rt: 1 (THM)
·624 words·3 mins
Writeup - Shocker (HTB)
·233 words·2 mins
Writeup - DC-9 (VulnHub)
·567 words·3 mins