This is a writeup for the Nibbles machine from the HackTheBox site.
First, let's start with a scan of our target with the following command:
nmap -sV -T4 -Pn 10.10.11.146
Two TCP ports are discovered:
- 22/tcp : SSH port (OpenSSH 7.2p2)
- 80/tcp : HTTP web server (Apache 2.4.18)
Looking at the source code of the web page I found the following comment:
<!-- /nibbleblog/ directory. Nothing interesting here! -->
So I go to this new page:
I then search the pages present on the site with
One page is particularly interesting:
So I try to brute force the password of the
admin user with the
Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials:
It's good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: brute force version.
I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images.
So I try to send a reverse shell in php, then I go to the following link to execute it:
I now have a reverse shell as a
nibbler and I can get the first flag.
I start by checking the sudo permissions of my user:
I find it in my personal folder a
.zip file, I unzip it :
The script can be modified by myself and can be executed as root. I put the following content in the script
This will create the SSH folder of the root user and then add my key in the
authorized_keys. To execute the script I use the following command:
sudo -n ./monitor.sh
I can now log in as root and get the last flag.
To patch this host I think it would be necessary to perform a number of actions:
- Do not leave important comments in HTML code
- Update NibbleBlog to fix file upload problem
- Do not let user-modifiable scripts be executed by the root user