Hackthebox.eu - Retired - Nibbles
Recon
As always I start with a simple up/down scan on TCP ports to see what's up.
# nmap -T4 -p- 10.10.10.75 -oX /root/Desktop/HTB/Nibbles/nmapb.xml
Then convert the output to html
# xsltproc /root/Desktop/HTB/Nibbles/nmapb.xml -o /root/Desktop/HTB/Nibbles/nmapb.html
We see port 22 and 80 open, let's scan again on just those ports using -A to finger os/services
# nmap -T4 -A -p22,80 10.10.10.75 -oX /root/Desktop/HTB/Nibbles/nmapf.xml
Then converted the XML to HTML again.
Ok so now we see
Port 22 OpenSSH 7.2p2
Port 80 Apache httpd 2.4.18
And it's most likely a linux box
Let's browse to to port 80 and see what's being served.
Just a little page saying hello world.
As a point of recon let's check the source code for the page to see if there is anything interesting there.
There is a reference here to /nibbleblog/ let's see what's in there
We've got a blog here
Poking around on the site I found the following directory exposed.
Private, Public, tmp those sound interesting.
Let's run dirbuster against /nibbleblog/ and see what other types of files and folders are present
Found this login page
Also found this file
Username admin….. Ok so that's a start
Exploit
Let's focus on trying to get in.
Since we are pretty confident the username is admin let's use hydra to try and get in.
I found this site which helps walk you through using hydra for this purpose
hydra -l admin -P /usr/share/dirb/wordlists/small.txt 10.10.1075 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^&Login=Login:Incorrect username or password" -V
I let this run for a bit but while it's just try some logins
Try some default things like password,123456 and other such top passwords.
I did finally get success using the name of the box for the password
nibbles
There is some sort of protection for multiple logins here on this box, occasionally I could get this error message during testing
After I got in you can see some of my attempts to get in LOL
Earlier in my research I came across this exploit
Which needed an authenticated session…. Which we now got.
Let's fire up metasploit and load the exploit
We need to set a password, rhosts, username and we need to change the targetURI
After we run we get…..
Shell
Running as nibbler
Dropped into shell….. Get no output back from my commands..
Let's start an interactive bash
That's better
Let's get our user hash
Cd /home/nibbler ls
b02f*********************
What's that personal.zip?
Let's check the sudo privs
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Interesting nibbler can run the /home/nibbler/personal/stuff/monitor.sh without specifying the password
But that folder doesn't exist, however there is that personal.zip folder
Now we have the files it was looking for
Ok so the script running without sudo
Looks like it gets a bunch of systeminfo and outputs it to the screen.
I simply decided to overwrite the monitor.sh file to cat out the root hash
Echo "cat /root/root.txt" > monitor.sh
Then run the .sh as sudo
b6d745c0*******"*"*"""""
Comments
Post a Comment