[Write-up] Nibbles Machine on HackTheBox

nibbles
Hi everybody,

This is 4th HackTheBox Write-up series. Today, I will talk about Nibbles machine which is very very easy machine. Even if it is easy, people usually makes the most mistakes in simple points or gets stuck. Anyway, Let’s pwn this machine.

Initial Enumeration

1
nmapAutomator.sh <MACHINE-IP> Full

nmap

Just two ports openning. 80 (http - Apache 2.4.18) and 22 (ssh - OpenSSH 7.2p2)

When we visit web site in web browser, “Hello world” message welcome us. Since the machine is easy, first thing is to investigate page source. Probably, there could be a tip in here :)

We can see following comment in page source that is a directory name.

1
<!-- /nibbleblog/ directory. Nothing interesting here! -->

page_source

It directs us to a blog site. You can see important info in footer that this site is powered by Nibbleblog that is CMS like Wordpress, Joomla etc. Furthermore, Nibbleblog version may be guide to us. Let’s go to directory scanning for more enumeration.

nibble_blog

Directory Scanning

1
gobuster dir -w <WORD-LIST> -u 10.10.10.75/nibbleblog -t 50

go_buster

README and admin directories could be considerable. When we visit both directories, README directory has Nibbleblog version and admin directory has login page.

README page’s content is starting following information;

1
2
3
4
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

Admin page is

admin_page

We google sw name and version, we find this exploits that is shell uploading vulnerability. This is what we are looking for :)

To using this exploits, We must have admin page credentials. Also, Nibbleblog must have “My image” plugin.

Reverse Shell and Getting User Flag

As I said at begining, the machine is easy. To find admin credentials, I tried following username and passowrd.

  • admin - password
  • admin - admin
  • nibbles - nibbles
  • admin - nibbles is correct credentials.

To get reverse shell, go to pentestmonkey then upload as image.php.

my_image

Visit following url for getting reverse shell.

1
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

User flag

user_flag

Privilege Escalation - Root Flag

We check which files run with sudo via bash sudo -l command. Nibbler users runs “monitor.sh” as root.

priv.png

We can run following bash script in defined path as monitor.sh for getting root.

1
2
#!/bin/sh
bash

We are root!

root.png