Hack The Box

HackTheBox “Nibbles” Walkthrough

Nibbles is a beginner-friendly Linux machine on the Hack The Box platform. The exploit path involves exploiting an arbitrary file upload vulnerability in the My Image plugin of the Nibbleblog web application. This…

HackTheBox “Nibbles” Walkthrough, figure 1

Nibbles is a beginner-friendly Linux machine on the Hack The Box platform. The exploit path involves exploiting an arbitrary file upload vulnerability in the My Image plugin of the Nibbleblog web application. This vulnerability can be used to upload a reverse shell, which gives the attacker a command-line interface on the target machine. Once the attacker has a reverse shell, they can escalate their privileges to root by exploiting a script with sudo permissions.

Let’s get started!🚀

Recon & Enumeration

Let’s use nmap to scan for open ports and services:

HackTheBox “Nibbles” Walkthrough, figure 2

The web page returns a “hello world” message:

HackTheBox “Nibbles” Walkthrough, figure 3

However, checking the source code provides a clue as to where to go next.

HackTheBox “Nibbles” Walkthrough, figure 4

A blank instance of the Nibbleblog blogging software is available at the /nibbleblog/ path.

HackTheBox “Nibbles” Walkthrough, figure 5

Let’s run a Dirsearch tool scan to see what other pages are available.

HackTheBox “Nibbles” Walkthrough, figure 6

Try at /nibbleblog/

HackTheBox “Nibbles” Walkthrough, figure 7

The /nibbleblog/content path is interesting, as it has directory listings enabled. This means that we can see the contents of the directory without having to login or authenticate.

HackTheBox “Nibbles” Walkthrough, figure 8

Continuing our exploration, we find a page at /nibbleblog/content/private/user.xml which reveals a user named admin.

HackTheBox “Nibbles” Walkthrough, figure 9

And below is the content of the users.xml file

HackTheBox “Nibbles” Walkthrough, figure 10

The Dirsearch tool scan also revealed a path /admin.php, which presents a login page.

HackTheBox “Nibbles” Walkthrough, figure 11

Nibbleblog does not have a default password. Fortunately, the guess of nibbles worked, and we were able to log in.

HackTheBox “Nibbles” Walkthrough, figure 12

The Dirsearch tool scan also revealed a README directory, which provides us with the version of Nibbleblog that is running on the target.

HackTheBox “Nibbles” Walkthrough, figure 13

Let’s conduct some research on this.

HackTheBox “Nibbles” Walkthrough, figure 14

Exploitation:

The nibbleblog version 4.0.3 has a vulnerability known as CVE-2015–6967. This vulnerability allows authenticated users to upload arbitrary files, which can result in the execution of malicious code. Exploiting this vulnerability can be done either using a Metasploit module or manually, as it is relatively straightforward.

W/ Metasploit:

Based on Google research, let use Metasploit module below

HackTheBox “Nibbles” Walkthrough, figure 15

We’ll use multi/http/nibbleblog_file_upload and set the required options

HackTheBox “Nibbles” Walkthrough, figure 16

Run

HackTheBox “Nibbles” Walkthrough, figure 17

W/O Metasploit:

Back to the /admin.php page.

HackTheBox “Nibbles” Walkthrough, figure 18

Upon exploring the page tabs, it becomes apparent that we can perform an image file upload by navigating to the “Plugins” tab and subsequently accessing the “My images” directory.

HackTheBox “Nibbles” Walkthrough, figure 19

After conducting a search for a reverse shell payload that can be uploaded as an image file, we get the payload here:

HackTheBox “Nibbles” Walkthrough, figure 20

Download it to our attack box.

HackTheBox “Nibbles” Walkthrough, figure 21

Upon reviewing the payload, we need to modify the payload by replacing the IP address and port with the corresponding values of our attack box. We have made these changes as shown in the screenshot below and renamed the payload as “photo.php”.

HackTheBox “Nibbles” Walkthrough, figure 22

Upload it to the target.

HackTheBox “Nibbles” Walkthrough, figure 23

To confirm the successful upload, we conducted directory busting and identified the “/nibbleblog/content/private” directory.

HackTheBox “Nibbles” Walkthrough, figure 24

This location appears to be the designated area for uploaded images. Upon inspection, we discovered that there is only one file named “image.php” with a recent modification date.

HackTheBox “Nibbles” Walkthrough, figure 25

Run a listener on our attack box.

HackTheBox “Nibbles” Walkthrough, figure 26

After triggering the image.php file, we get a shell back to our listener.

HackTheBox “Nibbles” Walkthrough, figure 27

After surfing through the machine, we can see that we have limited access rights. Trying to escalate our privileges, we can see that we can run the script below as sudo with nopassword.

HackTheBox “Nibbles” Walkthrough, figure 28

Check the script.

HackTheBox “Nibbles” Walkthrough, figure 29

We needed to unzip personal.zip foler.

HackTheBox “Nibbles” Walkthrough, figure 30

Check the content of the script.

HackTheBox “Nibbles” Walkthrough, figure 31

let’s tail the “monitor.sh” bash script with a reverse shell command to our attack box.

HackTheBox “Nibbles” Walkthrough, figure 32

Run a listener accordingly on our attack box.

HackTheBox “Nibbles” Walkthrough, figure 33

Run the script in sudo.

HackTheBox “Nibbles” Walkthrough, figure 34

And we get back a root shell.

HackTheBox “Nibbles” Walkthrough, figure 35

Cheers.