HTB – Nibbles – without Metasploit

let’s start nmapping the machine. There are 2 ports opened: 22 and 80.
On the port 80 there’s a simple “hello word” page but checking the page source there’s something interesting:

port 80 – view-source

Adding the nibbleblog directory to our url let us reach a nibbles blog homepage.

Nibble homepage

The hyperlinks don’t open other pages so what we can do is try to enumerate more web pages with gobuster.

As soon as we started the enumeration we discovered many interesting links.
The admin page have a login so we look for some sql injection using sqlmap.
While configuring burpsuite to grab the sql request we tried to use some basic password against the login (admin / password, admin / pass, nibbles / nibbles) and we discovered that the login was admin / nibbles.
We launched sqlmap the same in order to analize the sql injection.

The nibbleblog dashboard. Is possible to see some login failed attempt

This is the request we’ll use with sqlmap

save this to be used with Sqlmap. Click the right mouse button and select “copy to file”
# sqlmap -r sql.req --batch --risk 3 --level 5

the problem is that we have some kind of protection (WAF) that blocks our requests.

something blocks our requests

After few minutes we are again able to access the website but we can’t use automatic tools that can block us.
Entering the blog we discovered the software version

googling this version we discovered a vulnerability with the “my image” plugin. From packetstormsecurity.com:

The first upload, from the “my image” plugin was a simple image. After the upload the image appears on the home page and by inspecting it we discovered where the uploaded images are located. so I try to upload a php shell.
We found a directory listing where there’s a image.php file…..click on it..
here’s the shell!!!

type some command to obtain a better shell (thank you Ippsec….subscribe his channel for very cool HTB and others high quality writeups!!)

in the home directory is possible to found the user hash

unzip the personal.zip archive and you’ll find the code that works as a protection from bruteforce auth. Nothing particularly interesting for now.
Get LinEnum from attacking machine and launch it.

surprise!

modify the monitor.sh with this command

echo "su" > monitor.sh

and launch the following command:

sudo /home/nibbler/personal/stuff/monitor.sh

even if the program returns an error, we are root!

enjoy!