HackTheBox: Nibbles is a easy 20 point machine on HTB which involved mostly exploiting a web server. I found this machine quite fun and is one of my favourite HTB machine with the methods used to exploit it.
1.1 - Scanning
I first started by doing a port scan of Irked (10.10.10.75).
The target is only running SSH and HTTP which suggests that the target of origin is the web server.
1.2 - Web server enumeration
Firstly as always, Dirb and Nikto and executed in the background. However, they did not reveal anything. When opening the website in the browser a blank page with
Hello world is found. A look at the source code gives us a CTF style hint:
1.3 - Nibbleblog enumeration
Using searchsploit to find possible nibbleblog exploits:
A SQLi and file upload exploit is found. However, the version of the nibbleblog has not been enumerated yet so the exploits may not work. Research is conducted to find out what nibbleblog is. A open source CMS github repo is found from some research:
When browsing through CMS file system, a interesting file is found called
98-constants.bit. This file displays the version of the CMS. When attempting to find the file on the target, the file is found with a version!
Possible exploit: File upload (found via searchsploit)
Exploit information found: Fie upload manual exploitation
The exploit found uploads a file and the extension of the file is not checked and can be uploaded, which can be used to get an RCE. However, it requires credentials to login.
1.4 - Credentials Enumeration
A web page of
update.php is found which shows hidden
When browsing both the files an email / username is found in the
config.xml file which could be used to guess the password.
<notifcation_email_to> tag contains
firstname.lastname@example.org. This suggest that one of the usernames is
admin. Using these credentials attempts were made to attempt to login to the server. After some attempts with guesses login was successful!
2.1 - Exploitation
The exploit can now be used to get RCE. The exploit says to visit the URL:
Before running the exploit, a shell is generated with
metasploit multi handler setup:
2.2 - Exploitation file upload
The shell is then uploaded via the My image page:
The shell has been uploaded and a multi-handler is waiting for the shell connection. Some enumeration is done to find the shell, the
/private folder found on the
/update.php contains file paths to the
A reverse shell is now open! The user.txt can be retrieved.
3.1 - Post Exploitation
I first started by enumerating the kernel and OS information:
Searchsploit found a vulnerability for the kernel:
The exploit is then downloaded and can tested on the target to attempt to get root.
3.2 - Executing the exploit
wget is used to download the exploit ti the
/tmp directory and then the exploit is executed:
Root access gained!