I recently got back on the bandwagon of CTFs and worked on Nibbles on Nibbles from Hackthebox today. As always I started with a nmap scan
nmap -p- -T5 -A 10.10.10.75 -oN nibbles_nmap.txt. I hit all 65535 ports with
-p-, with this being on HTB I’m not worried about being detected by Blue Teamers so I went with
-T5 for the quickest scan and
-A to run Enable OS detection, version detection, script scanning, and traceroute all at once to reduce the amount of scans ran. I also like to save the results as a file so that I can come back later and not have to worry about not being able to scroll back up and finding it or if I don’t screenshot all of the results.
First thing I saw is that nibbles has
ssh running on 22 and
Apache httpd 2.4.18 on 80. Navigated to the HTTP website in Firefox and got a basic page with only “Hello world!” on it.
I went ahead and hit it with gobuster with the
dirb/common.txt wordlist and didn’t receive any meaningful results back.
I tried a couple other wordlists before I checked the page source and saw another directory in a comment.
I navigated to that directory in Firefox and got what appears to be an empty blog.
Kicked off a nitko scan with
nikto -h http://10.10.10.75/nibbleblog >> nibbles_nikto.txt, first thing I noticed is there is an admin.php page and a README file.
Checking out the README lets me know that it is running Nibbleblog v4.0.3.
Also another gobuster scan on
http://10.10.10.75/nibbleblog/ with the dirbuster wordlist
directory-list-2.3-medium.txt netted me a couple other directories on the web page.
The only problem with these exploits is that they depends on being authenticated to the web app. I went to
admin.php and entered test credentials to capture the request in Burp to try to Brute Force it with Intruder.
From Proxy in Burp I caught the request and right clicked on it to send it to intruder. In Intruder I changed the attack type to Cluster bomb and manually cleared the variables and selected the username and password fields.
For payload 1 I used the
10-million-password-list-top-10000.txt for payload 2 from Daniel Miessler’s SecLists.
Started the attack and monitored the results. Almost immediately I noticed that the length returned by the server changed and saw that my IP got blacklisted.
I did some snooping around the directories and found the user list at
nibbleblog/content/private/users.xml,this file also contains the blacklist. There is a single user listed in the list
admin and my HTB VPN IP was listed in the blacklist.
Further investigation led me to
nibbleblog/admin/boot/rules/3-variables.bit which is where all the variables are defined including the blacklist criteria of 5 failed login attempts and a blacklist time of 5 minutes.
Once my IP was no longer blocked, I went back to the admin page and tried admin and nibbles, since admins are lazy and nibbles is the name of the page. That was the correct password and I got to the admin dashboard, on the right we can see my brute force attempt.
Step 1 of the file upload was complete I am authenticated. Even though Metasploit has an exploit for this I decided to do it manually. I copied the basic php reverse shell from
/usr/share/webshells/php/php_reverse_shell.php and modified it to use my IP and chosen port.
I named the shell
shell.php and uploaded it the server through the
my image plugin. I navigated to
nibbleblog/content/private/plugins/my_image/ and saw that my shell was uploaded and renamed to
I set up my local netcat listener, navigated to
image.php, and waited for my reverse shell to spawn.
As soon as my shell spawned I saw that the web server was running as
nibbler. My first step was to upgrade my shell to something that provides better control. I started with
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nibbler@Nibbles:/$ export TERM=xterm I then sent the shell to the background with
CTL-Z and on my local boxes bash
stty raw -echo; fg
This gives me a BASH shell with tab autocompletion, history and I can control processes with
CTL-Z. Although if the terminal acts funny typing
reset and pressing
enter should fix it. Now on the finishing the box, I immediately
nibler's home directory there is a zip archive named
personal.zip, I unzipped it and it only had
monitor.sh in it. It is base off a script from tecmint that lists information about the box.
The script tells me that this box is running Ubuntu 16.04.3 with kernel 4.4.0-104. Searching for exploits for the kernel leads me to CVE-2017-16995 with 2 exploits from exploit-db.com: 44298 and 45010. I went with 45010 since it seemed that it needed no modifications. I copied if from it’s location in
/usr/share/exploitdb to my working directory, compiled it to
get-rekt,spun up a python web server to transfer it to
Nibbles I grabbed it with
wget, and I finally
chmod to make it executable.
Ran it and got