Hack the Box: Nibbles CTF writeup Malarum, October 5, 2024October 6, 2024 The machine can be found here: https://app.hackthebox.com/machines/Nibbles Hello! Welcome to my first CTF writeup. Today, I will be doing a walk through of Hack the Box’s easy ctf: Nibbles. Before we get into the box, let’s take a look at the description of the box. The description says the following: “Nibbles is a fairly simple machine, however with the inclusion of a login blacklist, it is a fair bit more challenging to find valid credentials. Luckily, a username can be enumerated and guessing the correct password does not take long for most.” – Hack the Box Nibbles machine page Immediately, we can gather from this machine that there is a blacklist for logins which means we could run into login blocking and that we can find the username and guess the correct password. As with any machine, we should always start with enumerating the network. We ensure we are connected to the Hack the Box VPN and start with an NMAP service scan of the IP. I use the following command: nmap -T 5 -v 10.10.10.75 I start with only scanning ports as it is quicker. I will later scan each specific port using scripts. We then find 2 open ports, 80 and 22. We know from common ports that port 80 is used for HTTP and port 22 is for SSH. We know that there is a web page and that there is remote control access to this computer From here we can now move onto service script scanning ports 80 and 22. To achieve this I ran the following command: nmap -p 22,80 -sV -sC -T 5 -v 10.10.10.75 With this output we get the following: This confirms that SSH is on port 22. We also see that port 80 is running an Apache web server confirming this is a website. First, we should go to the website and see what we can find We don’t find much here…let’s take a look around! I start by looking at the html source of this page and we immediately get a hint! we find a directory that we can visit! We then find this when going to the directory /nibbleblog/ Looking around the webpage, we can see the buttons don’t do much. We should also take note that the CMS software being using is “Nibbleblog”. We should keep that in mind for later. Next, I start enumerating the directories in this page. To do this I use gobuster and we quickly find some interesting directories. The following command was ran: gobuster dir -w /path/to/wordlist -u http://<machine-ip>/nibbleblog We find the following interesting directories accessible: admin, content, and README. Let’s check the admin page first We have access to multiple files, but let’s continue looking around Now this one is interesting, we found a login page at /admin.php! but we are going to continue looking and come back Going to /content we have directories to look around. Finally, let’s go to /README This is looks like a generic readme page. let’s take note of the version of Nibbleblog being used and go back to the content directory. Looking around, we have multiple files that we can look through. We eventually look and find in /private/users.xml we find this: We now have a username of admin! We should go back to that login page. We try common logins like admin:admin, and admin:password but none work. Looking around and remembering the description, we think about the name of the blog and try different combinations. eventually we found out the combination admin:nibbles works! We have access to the admin dashboard now! Let’s go search for more about the nibbleblog cms. We immediately find a file upload vulnerability from rapid7! You can read about this vulnerability here: https://www.rapid7.com/db/modules/exploit/multi/http/nibbleblog_file_upload/ We find out this vulnerability allows you to upload a file as an authenticated user in order to get RCE. There are multiple ways to go about this. I chose the manual way. I found a proof of concept of the exploit on exploit DB here: https://www.exploit-db.com/exploits/38489 After analyzing the code, I determined that the My Image plugin allowed for arbitrary file upload. I decided to upload a PHP reverse shell. I used the default one that comes with Kali I find the plugin and hit configure. I then found that I could upload a file. I make sure the php reverse shell is configured to send a connection back to me and I upload the file. We get these errors but let’s go see if it uploaded. I navigate to /content/private/pluginsmy_image and sure enough there is a file with a php extension! they renamed it to image.php. Let’s start netcat to catch the connection. I use the following: nc -nlvp 1234 I then clicked on the image.php to run the script: Sure enough I get a connection to the machine! lets stabilize this shell. I type the following: python3 -c ‘import pty; pty.spawn(“/bin/bash”)’ ctrl + Z, stty raw -echo; fg expert TERM=xterm We now should have a stable shell. Let’s take a look around. I immediately head to the /home/nibbler directory. I find 2 files, personal.zip and user.txt. opening user.txt we find our first flag! 8ed7bc0b415253bc49fdec1d32025076 now we have to escalate our privileges. You could do this with manual or automated enumeration. I decided to do some manual looking around. To see what sudo privileges were available, I typed sudo -l. This returned the following: I now know I can use the following program: monitor.sh as root with no password. This may be the best avenue for privilege escalation. Looking at that file path /personal/stuff it looks similar to personal.zip. Let’s unpack that zip file It created the exact file path we are looking for! let’s look at monitor.sh This looks like a script that we don’t know what it does, but we do know we can run it as root. let’s append /bin/bash to the end of this file using echo ‘/bin/bash’ >> monitor.sh now if we look again at the file we can see at the bottom we are running the bash binary. let’s run the file as sudo and see what happens. We can do this with: sudo -H -u root ./monitor.sh We now have root! lets go get the root flag Navigating to the root directory we find a file called root.txt. We now have our root flag! 80869cf15e8fd0e287d734d5a5c6ba5d This was a fun, beginner friendly box. I hope you enjoyed the write up for this box! Happy hacking! Hack the Box CTF Writeups