Nibbles — Hack The Box [Write-up]

5 min readJan 24, 2021

Introduction:

Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.

Skills Required:

Basic knowledge of Linux
Basic understanding of web enumeration techniques
Basic knowledge of Metasploit usage

Skills Learned:

Enumerating web applications
Guessing probable passwords
Exploiting NOPASSWD

Used Tools:

Nmap
Gobuster
Searchsploit
Metasploit
Unzip

1. SCANNING & ENUMERATION

I will start with nmap and the -A parameter to enable OS detection, version detection, script scanning, and traceroute and append the output to tee command which save the in a file named “nmap” and also show the output on the screen.

As seen there are 2 open ports, Port 20 for an SSH service and Port 80 for HTTP service, Let’s check the HTTP first…

This looks empty… Let’s check the page source

Simply it contain the header for the hello world title and a comment down inform us to go to /nibbleblog/ as there is nothing here in this page, and here we go

After a lot of navigating through the website I found nothing every thing returns me to this home page .

So I google about nibbleblog and fount it is a powerful engine for creating blogs using PHP.

Let’s enumerate the directories using gobuster:

Of course the enumeration of the previous http://10.10.10.75/ gives nothing important, but as expected the http://10.10.10.75/nibbleblog/ gives us some promising directories as nibbleblog/admin.php and nibbleblog/README, so let’s check the README page…

It contain a description for the site and some installation guide which we won’t use bit it gaves us its version. Let’s check the nibbleblog/admin.php

After a quick google didn’t bring up a set of default credentials, I tried alot of default password with the username admin but it ended up being blacklisted by the application…

After waiting around a minute we’re taken off the blacklist and can access the login page once again. The general rule of thumb here is to think like a lazy sysadmin. After a few attempts I ended up finding the credentials admin:nibbles .

2. EXPLOITATION

During i was stuck in the admin panel i searched for the Nibbleblog in the searchsploit for a public exploit:

I found an exploit (38489) with the exact version of our targeted nibbleblog as seen in the README file and the more interesting that it is supported by metasploit, The exploit: Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.

so let’s open metasploit and use it:

The exploit require a username and a password in it’s options so then i figured that we must have a username and password so i returned to the admin panel but now we have them so we will set the options and exploit it.

And the exploit succeeded, Now we have a meterpreter session

So let’s go to the / directory and then to the home directory where we will find a user file called nibbler, go through it we will find user.txt and BOOOOOOOOOOM !!! Now we had a user flag :D

3. PRIVILEGE ESCALATION

There are a lot of commands that couldn’t be done using the meterpreter shell so we can escape this by typing “shell” in the meterpreter shell… and then upgrade our shell using

python -c ‘import pty;pty.spawn(“/bin/bash”)’

but it gives an error: python not found , Let’s try python3…

python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

and it works well, Now let’s list the user’s privileges using:

sudo -l

Here we go, our user (nibbler) can execute the bash script monitor.sh with root privileges, let’s check it…

Monitor.sh is in personal but it is zipped in the nibbler directory so we have to unzip it with the unzip tool

unzip personal.zip

Now we have 2 options:

We append a reverse shell in the bash script so when it is executed as root the reverse shell will connect us as root
We overwrite the monitor.sh file with the reverse shell

I will use the second one as it’s faster and easier…