Hack the Box Writeup - Nibbles

Today's writeup is for retired Hack the Box machine, Nibbles. A fairly simple machine so this won't be a long post.

Hack the Box Writeup - Nibbles

Today's writeup is for retired Hack the Box machine, Nibbles. A fairly simple machine so this won't be a long post.

Enumeration

As always, we begin with our nmap scan.

$ nmap -sC -sV -p- -oA nmap/scan 10.10.10.75

nmap

Only a couple of services here, ssh and http.

Browsing to http://10.10.10.75 just shows us a simple "Hello world!" message, and not much else. Taking a closer look at the source of the page however, shows us a comment pointing to a blog located at http://10.10.10.75/nibbleblog/

web-source

A quick lookup in searchsploit shows us that there is an arbitrary file upload exploit for the blog in metasploit. Reading the details of it shows that we need a username and password first.

So let's hit it with gobuster to see if we can find anything interesting.

$ gobuster -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -s 307,200,204,301,302,403 -x php -t 50

gobuster

admin.php looks interesting, so let's take a look. Browsing there gives us a login page. Trying some simple username and password combinations results in a hit.

The username admin with a password of nibbles gets us access to the admin dashboard (and the credentials we need for our metasploit exploit).

Exploit

So let's fill in what we need.

metasploit

The exploit is successful and gives us a shell as the user, nibbler.

shell

So now we have access to the user's home directory and the first flag. But we spot something else interesting in the home directory, a zip file named personal.zip.

Our curiosity piqued, lets unzip it and take a look.

It seems to contain a shell script, which we have write access to. Running a quick sudo -l also shows that we can run this shell script as root without a password. Pwnage time.

zip-file

Privilege Escalation

Let's overwrite this script with something simple.

$ echo "#! /bin/bash" > monitor.sh
$ echo "su" >> monitor.sh

Then simply run it as sudo (using the full path or you will get asked for a password)

$ sudo /home/nibbler/personal/stuff/monitor.sh

And done. That's it. We have root and access to the final flag.