HackTheBox: Nibbles [OSCP Prep]
- OS: Linux 🐧
- Difficulty: Easy 😇
- Release: 13 Jan 2018 📅
- IP: 10.10.10.75 💻
- Box Creator: mrb3n 😎
Hello there guys. Welcome to my 9th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Nibbles from HackTheBox.
Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:
$ rustscan -a 10.10.10.75 -r 1-65535 -- -sV -sC -Pn PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc= | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 22:51 Completed NSE at 22:51, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 22:51 Completed NSE at 22:51, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 22:51 Completed NSE at 22:51, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds
Nmap discovers 2 ports open: ssh (22), HTTP (80).
Looking at the page source you will find an interesting comment specifying a web directory
Going to http://10.10.10.75/nibbleblog/ we see a nibbleblog CMS running.
Doing some directory busting I found README file which contains version information of the current nibbleblog running.
I tried the default credentials for nibbleblog but they did not work. So I tried brute-forcing admin credentials.
Found admin credentials => admin : nibbles
If you’ve searched for any exploits for nibbleblog v4.0.3, there is an unrestricted file upload vulnerability. Have a look at this article on how to exploit this unrestricted file upload vulnerability manually.
Activate “my image” plugin by visiting the following URL:
Upload your file. In this case I’m uploading a PHP shell
Now you should find the file you uploaded laying in this path : /nibbleblog/content/private/plugins/my_image/<upload-file-name>
When it comes to privsec, my first goto is to look for kernel exploits for easy wins. Here’s the output of linux-exploit-suggester
You can find the exploit here. Compile it
gcc cve-2017-16995.c -o cve-2017-16995
Move the compiled executable to the target and execute
Instant root access.
I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.
If you enjoyed this write-up show me some ❤️ by giving me some respect 💯 at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys 👋. See you in the next post.