📓
Write-ups
  • Welcome!
  • HackTheBox
    • Grandpa (with Meterpreter)
    • Netmon (w/o Meterpreter)
    • Magic
    • Nibbles
    • Haircut
    • Popcorn
  • TryHackMe
    • Blue
  • OWASP Juice Shop
    • Untitled
  • Others
    • CTF Live
      • Assumed Breach
      • Recon Samba
      • Hunting Artifacts
    • Kontra
      • Tiktok XSS
    • OWASP Broken Web Applications Project (BWA)
      • HTML Injection - XSS
    • Netwars
Powered by GitBook
On this page
  • Enumeration
  • Network Scan
  • Enumerating the Web Server
  • Findings directories
  • Initial Foothold
  • Enumerating valid users
  • Reverse PHP Shell Upload
  • Privilege Escalate
  • Enumerating Host
  • CVE-2017-16995

Was this helpful?

  1. HackTheBox

Nibbles

PreviousMagicNextHaircut

Last updated 4 years ago

Was this helpful?

HTB Nibbles

IP: 10.129.1.135 Completed on: February 20, 2021 Time Took: 1.4 hrs

Enumeration

Network Scan

Ran nmap_scan.sh script which runs a port scan (0-65565), version and default scripts scan (-sV -sC), and then vulnerable script scan (--scripts vuln):

Enumerating the Web Server

Looking at the source code, we find the below comment which gives us a directory path for /nibbleblog/:

Findings directories

Let’s find any hidden paths using gobuster with php, html, and txt extension and with the status code of 200 and 301. (I’m excluding others as there was a lot of False Positives findings with 403 status):

sudo gobuster dir -u http://nibbles.htb/nibbleblog/ -w ~/SecLists/Discovery/Web-Content/raft-medium-words.txt -x html,php,txt -s 200,301 -t 40

Initial Foothold

Enumerating valid users

With this information, I attempted default passwords against admin.php page (password,admin,etc). The password ended up being the name of the box, nibbles:

Reverse PHP Shell Upload

Gaining access to admin credentials we can verify the version of NibbleBlog is 4.0.3, there are many known exploit for this version. We will utilize one per default settings of my_image plugin.

I will use PentestMonkey’s php reverse shell and change ip and port.

Upload the php file:

Routing to the php file we are able to get a reverse shell to nibbler user. (Make sure to set up a nc listener):

Privilege Escalate

Enumerating Host

Enumerating the box, we can find that box is running Ubunutu 4.4.0:

$uname -a && id && groups Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) nibbler

CVE-2017-16995

I copied exploit.c into the box, then ran gcc to compile the c code, and ran the exploit and got root:

$gcc exploit.c -o exploit $./exploit

nmap_scan.sh output for 10.129.1.135

Routed to the site () and identified that html was being used (tried bypassing virtual hosting by adding nibbles.htb to /etc/hosts but no change):

Routing to /nibbleblog directory we find a Nibbleblog () site which is a php CMS:

Enumerating Nibbleblog’s content I found that a valid username was admin per :

Routing to we can use this to upload a reverse php file that will get uploaded under /content/private/plugins/my_image/image.php:

Article followed:

This version of Ubuntu is vulnerable to cve-2017-16995. Following .

http://nibbles.htb/
https://nibbleblog.com/
http://nibbles.htb/nibbleblog/content/private/users.xml
http://nibbles.htb/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html
https://packetstormsecurity.com/files/148517/Linux-Kernel-Local-Privilege-Escalation.html