Nibbles
A beginner's impression on my very first machine
Thu Jan 12 13:21:10 -03 2023: that was my very first machine. What a challenge! Even following a step-by-step tutorial I spent almost 2 hours working my head off in some roadblocks, and trying to understand every single command. I recorded my screen the entire process but I removed some parts to make it smaller. I'm going to a trip to NYC tomorrow, for the NRF 2023 event, and as soon as I get back I will record a video in portuguese commenting my beginner experience on that machine.
Since that was my first machine, I didn't bother to create a throughout documentation, use Termux or anything like that, I focused my attention on the execution, understanding the process and the commands, even when using payloads.
I decided to use my own machine so I made a fresh Kali installation on Virtual Box and right on I got my first roadblock: the VPN was working fine, I got the IP address, I can ping external addresses like 8.8.8.8, but I can't ping the target machine. First I thought the machine could be blocking ICMP, but my nmap was also failing, which now clearly indicates a routing issue (or a lack of route). Long story short, I was using the wrong VPN profile π, I downloaded the "Starting Point" profile wheres I should have had used "Machines" profile. I made the changes and BOOM, it worked. NOW, let's get started.
I was following the "Getting Started" module, "Attacking Your First Box" section at Hack The Box Academy, which is a separate product from the original Hack The Box platform, with a different access account and subscription. According to HTB, Nibbles, is an easy-rated Linux box, (well, definitely not for me), that showcases common enumeration tactics, basic web application exploitation, and a file-related misconfiguration to escalate privileges.
First Step: Enumeration
Our first step when approaching any machine is to perform some basic enumeration, but we have to define what we know and what we don't know yet, which can be tricky. We know for sure the target's IP address, that it is Linux, and has a web-related attack vector.
IP address: 10.129.20.101 OS: Linux Attack vector: web
I started with nmap -sV 10.129.20.101
I know, it is essential to get in the habit of taking extensive notes and saving all console output early on, so you should use -oA flag to include all outputs (XML output, greppable output, and text output), for documentation purposes, but as I said, my focus was on the process and execution, ergo, I will refrain to repeat it moving on the next steps.
From the initial scan output, we can see that the host is likely Ubuntu Linux and exposes an Apache web server on port 80 and an OpenSSH server on port 22.
Common sense says "well, navigate to that page", but I tried to use curl instead: browsing/"CEEurl" to the target shows us a simple "Hello world!" message, but the body/source code of the page reveals an interesting comment:
Before moving on I tried whatweb to try to identify the web application in use:
This tool does not identify any standard web technologies in use.
But now we have a directory to work on, /nibbleblog/ and checking that with the same tool I learned my first lesson: we need to understand a bit of programming at least to know how a web application works.
We can see some of the technologies in use such as HTML5, jQuery, and PHP. We can also see that the site is running Nibbleblog, which I have no clue that was a open source program. A free blogging engine built using PHP. If you Google for it you're going to notice very quickly that there's an available exploit for a particular version, without even bothering to look specifically for it using tools like searchsploit or navigating to exploit-db for example.
A quick Google search for "nibbleblog exploit" yields this Nibblblog File Upload Vulnerability. The flaw allows an authenticated attacker to upload and execute arbitrary PHP code on the underlying web server. The Metasploit module in question works for version 4.0.3. We do not know the exact version of Nibbleblog in use yet, but it is a good bet that it is vulnerable to this. If we look at the source code of the Metasploit module, we can see that the exploit uses user-supplied credentials to authenticate the admin portal at /admin.php.
So there's a /admin.php page? Yes there is. Another tool I used here was gobuster, but only after another roadblock which was to install it on my fresh Kali which didn't have Go installed, lol. After a couple of minutes I manage to make it work (disconsider the timestamps, I executed the commands again to make this report):
Gobuster finishes very quickly and confirms the presence of the admin.php page. From now on we can check all pages for interesting information, such as the version number, hidden data, usernames/password, etc. I'm pretty sure I could some sort of web scrapping technique, but I did the manual approach and browsed every single page until I find something worth checking more in depth. Browsing to nibbleblog/themes/I can see that directory listing is enabled on the web application. Maybe I can find something interesting while poking around?
So I validated that version Nibbleblog v4.0.3 was in use in a README page, confirming that this version is likely vulnerable to the Metasploit module (though this could be an old README page). But I decided to park that path for now and continue with the manual approach, even because to use the exploit mentioned above, I will need valid admin credentials.
Going back to the admin page I tried a couple of common credential pairs manually, like admin:admin and admin:password, none worked.
Browsing to nibbleblog/content shows some interesting subdirectories public, private, and tmp. Digging around for a while, I found a users.xml file which at least seems to confirm the username is indeed admin. It also shows blacklisted IP addresses, so this might indicate some sort of protection against brute-force attacks? Dunno. We can request this file with cURL and prettify the XML output using xmllint.
I see two mentions of nibbles in the site title as well as the notification e-mail address. This is also the name of the box. Could this be the admin password?
Lucky guess, it was!
We need to make sure we have a top-notch game plan in place, one that we can rely on time and time again. Whether we're taking on a challenge on HTB, working with a client on a web app pen test, or going after a big Active Directory setup, we need to have our ducks in a row. And let me tell you, one of the keys to success in this line of work is all about being thorough and taking good notes. Trust me, as you gain more experience, you'll be amazed at how what seemed like a small and uninteresting task at first can turn into a goldmine of information and opportunities, just by digging deeper and keeping an eye out for those little details. So stay sharp and keep those notes handy, you never know when a high port or forgotten page might lead to a big win.
Exploitation
The admin paged has different menus like settings, publish, comments, manage... but plugins allows us to configure, install, or uninstall plugins. The My image plugin allows us to upload an image file. So maybe, if there's no input validation when it comes to file type, I could abuse that and upload to the server (that I know it runs PHP) some code?
I did some basic PHP search and attempted to upload a snippet of PHP code instead of an image by creating a file and using the following snippet to test for code execution:
Yes, that is basically saying to the server to run the id command, which will print real and effective user and group IDs.
I got a bunch of errors, but it seems like the file may have uploaded, how do I know it? Because the image.php file was in the folder and updated:
Let's execute it:
Nice! That's an RCE vulnerability right there my friends. Apache server is running in the nibbler user context. Let us modify our PHP file to obtain a reverse shell and start poking around the server (Some great ones are PayloadAllTheThings and HighOn,Coffee).
I used a bash command that I found within the PHP snippet:
And uploaded the file once again.
Opened a listener in another terminal:
And I all had to do was browse or curl to that page at http://nibbleblog/content/private/plugins/my_image/image.php to execute the reverse shell.
But the shell that I caught is not a fully interactive TTY and specific commands such as su will did not work, I could'nt use text editors, tab-completion , etc. This post explains the issue further as well as a variety of ways to upgrade to a fully interactive TTY.
I used a Python one-liner to spawn a pseudo-terminal:
But that was for python2, which was not installed on the server, what a bummer. What about Python3?
Success!
Browsing to /home/nibbler, I found the first flag: user.txt,as well as a zip file personal.zip which I unzip and found a monitor.sh a monitor script within another folder called staff and it is owned by our nibbler user and writeable.
Post-Exploitation
With a simple sudo -L I found that we can execute the script file without password authentication with root privilege.
Being that we have full control over that file, if we append a reverse shell one-liner to the end of it, specifying a different port to listen to and execute with sudo, we should get a reverse shell back as the root user:
It's crucial for us to pay attention to this file because it could be a way for us to gain more privileges. And when we add anything to the file, we always create a backup copy first to make sure we don't accidentally overwrite anything and cause problems. Taking a look at the monitor.sh file with cat, we'll be able to see all the added content at the end, and now we can execute it with sudo.
It is worth noting that here is where I spent most of the time, because two simply reasons:
1) I was executing sudo monitor.sh, which requires root password. 2) When I executed the command specifying the entire file path I got a couple of error messages (as you can see on the image below), and I though the command wasn't successful, completely disregarding the # sign on my nc listener on the other terminal which indicates root access.
That was the terminal I was supposed to be looking at! OMG...
From here, I could grab the root.txt flag and finally solving my very first box on HTB π.
Last updated
