Hack The Box —Nibbles Writeup without Metasploit
Nibbles is relatively an easy machine where you have to exploit a blog platform called Nibbleblog, get low privilege access and escalate privileges. This box needs a bit of out of the box thinking when it comes to deciding or choosing the password to login to Nibbleblog Admin Portal that is vulnerable to shell upload vulnerability, allowing an attacker to exploit by uploading a PHP file.
Enumeration
Started with usual Nmap scan
As per Nmap scan, there were a bunch of ports but most of them were filtered. Only port 22 (SSH) and port 80 (HTTP) were open.
Nothing on the UDP scan.
Accessed the HTTP page.
Reviewed the source code, which pointed to another directory.
Accessed the directory nibbleblog
Further enumerated the port 80 using Nikto and Gobuster that provided the following result.
According to Nikto and Gobuster, there was hidden page called admin.php. Accessed that page.
This was the point where i ran out of ideas on how to login and also the same point you need a bit of out of the box thinking. I used different methods in order to find the login details without any luck. As i was running out of ideas, i had to refer to a hint where i found out that user name and the password were admin:nibbles.
I managed to discover the version of the nibbleblog that i was dealing with.
Getting initial foothold
As i mentioned earlier, nibbleblog is vulnerable to arbitrary file upload. It can be exploited as below.
Select plugins > My image > Configure > Upload a PHP reverse shell ( Pentestmonkey reverse shell is recommended). Once the upload was completed, it would throw a bunch of errors. Please ignore them. Upload process doesn’t sanitize the input hence PHP files can also be uploaded.
Once the PHP file is uploaded, visited the the following directory to trigger the shell and made sure the NC is listening.
I managed to obtain a reverse shell.
Privilege escalation
Running sudo -l confirmed that nibbler user can run the following as SUDO.
there was a zipped folder named personal in nibbler directory. Unzipped that folder
There was a bash script named monitor.sh which can be edited by nibbler.
Monitor.sh was edited as below to get a reverse shell and ran with SUDO. Made sure NC was listening to get the reverse shell.
Lessons learned
Nibbleblog was using default credentials which allowed me to login to admin portal. Default credentials shouldn’t be used. Strong password must be imposed. NibbleBlog version was vulnerable to arbitrary file upload. The Nibbleblog version running on this machine was 4.0.3. There was 4.0.5 version which may patch the issue.There were no any patches available after 4.0.5 as Nibbleblog had already reached the end of the life. Therefore, the only option was to move to another blog platform.
Nibbler user has been given the SUDO permission to run a script which doesn’t exit. The administrator should have conformed to the principle of least privilege and refrained from permitting the regular users with the ability to run script with root privileges.
12 boxes are done !
