Hey guys! Today we are on Hack The Box for see Nibbles writeup. This machine, was been relatively easy compared to other machine. The web part was easy enough and the privilege escalation: “a piece of cake” 😀
Start with a simple nmap scan:
The result is:
How you can see there are two ports open: 22 for ssh service and 80 for web service. Open the browser and let’s see what’s there is. The home page is a simple “hello world”, but examining the source code, we can find a comment with a directory: “/nibbleblog/”, then open the page with “/nibbleblog/” directory:
Interesting, now open dirbuster for search new pages or directories. After a few minutes, we can see that dirbuster has found many directories, in particular the directory admin!
Let’s what’s in admin directory:
very interesting, practically there are many backend files! Looking through the files there is “/nibbleblog/admin/template/easy4/includes/sidebar.bit” that is more interesting, because in this file there is type an interesting link: admin.php. Open the page for see if there is a login page:
Yeah! We can try with direct username and password such as “admin” “admin” or “admin” “nibbles”, in fact the user is “admin” and password is “nibbles” cool! 😀 Since nibbleblog is a framework for blog, we can search if there is a CVE, then, in terminal, type:
there is also a metasploit module, that is for 4.0.3 version as the blog! Then open msfconsole and use this module:
as payload use this:
Now we must setup the options:
Yeah! Now we spawn a bash shell with this simple command:
and get the user.txt:
Perfect! Now let’s go with privilege escalation. First step type “sudo -l” for see if we have permission for use sudo, in fact we can use this script with root permission:
Now we can modify this script writing “sh” at the bottom, then run it:
Yeah, now we are administrator of Nibbles 😀
