Home Nibbles
Post
Cancel

Nibbles

Posted Dec 31, 2023 Updated Jan 1, 2024
By Gr4y
4 min read

Overview: Nibbles is an easy rated HTB machine that exploit a shell upload vulnerability on the Nibbleblog server in order to gain compromised access.

HTB: Nibbles

  • So we start by scanning for open ports as well as the services running on those open ports
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ sudo masscan -p1-65535 10.10.10.75 --rate=1000 -e tun0 > ports
[sudo] password for kali: 
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2023-11-12 11:35:07 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [65535 ports/host]
                                                                                                                                                                       
┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ cat ports 
Discovered open port 80/tcp on 10.10.10.75                                     
Discovered open port 22/tcp on 10.10.10.75                                     
                                                                                                                                                                       
┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ ports=$(cat ports | awk -F " " '{print $4}' | awk -F "/" '{print $1}' | sort -n | tr '\n' ',' | sed 's/,$//')
                                                                                                                                                                       
┌──(kali㉿kali)-[~/HTB/Nibbles]
└─$ nmap -sV -sC -p$ports -oA nmap/nibbles_ports 10.10.10.75 -v
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-12 06:38 EST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating NSE at 06:38
Completed NSE at 06:38, 0.00s elapsed
Initiating Ping Scan at 06:38
Scanning 10.10.10.75 [2 ports]
Completed Ping Scan at 06:38, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 06:38
Completed Parallel DNS resolution of 1 host. at 06:38, 0.03s elapsed
Initiating Connect Scan at 06:38
Scanning 10.10.10.75 [2 ports]
Discovered open port 80/tcp on 10.10.10.75
Discovered open port 22/tcp on 10.10.10.75
Completed Connect Scan at 06:38, 0.16s elapsed (2 total ports)
Initiating Service scan at 06:38
Scanning 2 services on 10.10.10.75
Completed Service scan at 06:39, 6.36s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.10.75.
Initiating NSE at 06:39
Completed NSE at 06:39, 4.94s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.71s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Nmap scan report for 10.10.10.75
Host is up (0.16s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Initiating NSE at 06:39
Completed NSE at 06:39, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.66 seconds
  • So navigating to the web server, we’re presented with the below

  • Then inspecting the page, we can see a hint on where to go next

  • Navigating to the /nibbleblog directory, we can also see that the web server is runnign Nibbleblog

  • we also fuzz for sub directories for the nibbleblog direcotry using ffuf and we see a few
1

ffuf -w /usr/share/wordlists/seclists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://10.10.10.75/nibbleblog/FUZZ -e .php,.txt

Explotiation

  • So searching for any Nibbleblog exploits, we are can see that there exists an Arbitrary File Upload vulnerability for version Nibblieblog 4.0.3

  • So trying nibbleblog credentials of admin and nibbles, after a number of guessing attempts we got access to the nibbleblog dashboard
Machine name always mean something

  • so we can upload a reverse shell manually like below

  • then execute the script at the /nibbleblog/content directory

  • and then we should have a shell in our nc listener

  • or we can utilize the nibbleblog_file_upload exploit in metasploit instead to get a shell

  • so we can view the user flag

  • we can also see that we have a zip archive, so we can unzip to view the contents and we see we have a script monitor.sh

Privilege Escalation

  • we can see what commands we can run as sudo and that is the monitor.sh file which we unzipped

  • since we have write access on the file, we can just do the following to append to the script
1

echo "su root" >> monitor.sh
  • if we cat the file, we can see the command has been appended

  • so we run the script using sudo and we can see we now have root access

  • we can also view the root flag now

nibbleblog
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents