Today's writeup is for retired Hack the Box machine, Nibbles. A fairly simple machine so this won't be a long post.
As always, we begin with our nmap scan.
$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.75
Only a couple of services here, ssh and http.
Browsing to http://10.10.10.75 just shows us a simple "Hello world!" message, and not much else. Taking a closer look at the source of the page however, shows us a comment pointing to a blog located at http://10.10.10.75/nibbleblog/
A quick lookup in searchsploit shows us that there is an arbitrary file upload exploit for the blog in metasploit. Reading the details of it shows that we need a username and password first.
So let's hit it with gobuster to see if we can find anything interesting.
$ gobuster -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 307,200,204,301,302,403 -x php -t 50
admin.php looks interesting, so let's take a look. Browsing there gives us a login page. Trying some simple username and password combinations results in a hit.
admin with a password of
nibbles gets us access to the admin dashboard (and the credentials we need for our metasploit exploit).
So let's fill in what we need.
The exploit is successful and gives us a shell as the user, nibbler.
So now we have access to the user's home directory and the first flag. But we spot something else interesting in the home directory, a zip file named
Our curiosity piqued, lets unzip it and take a look.
It seems to contain a shell script, which we have write access to. Running a quick
sudo -l also shows that we can run this shell script as root without a password. Pwnage time.
Let's overwrite this script with something simple.
$ echo "#! /bin/bash" > monitor.sh $ echo "su" >> monitor.sh
Then simply run it as sudo (using the full path or you will get asked for a password)
$ sudo /home/nibbler/personal/stuff/monitor.sh
And done. That's it. We have root and access to the final flag.