Hack The Box (Nibbles)
By: Nicholas Werner
Starting off with our nmap scans.
I see that the port 80 is running Apache 2.4.18 so we want to see if there are any exploits.
There actually is an exploit available on the 5th line of this search but unfortunately you need to be on the local host before you can use it. If it were a remote exploit that would’ve been perfect.
I right click and click View Page Source and find this directory below.
I browse to 10.10.10.75/nibbleblog/
It doesn’t seem like there is much else here so I want to see if there are any exploits for Nibbles.
Looks like there is a nice Metasploit exploit.
I search for the nibble exploit and then use it.
I run info to see some more details about this exploit.
I can see that there might be a place where we need to authenticate so I want to run dirbuster perhaps find a login page.
There are a ton of files and directories but eventually I land on /nibbleblog/admin.php which is a login page.
Now I want to brute force the login. And eventually I’m able to login with:
If you go to the Settings page and scroll down you will see that it is running version 4.0.3 which is great. Now we can go back to Metasploit.
I set all of the right options but do not get a meterpreter session. Perhaps I need to do something with image.php on the target.
I go back to the admin page that I logged into before, click Plugins and click Configure.
I click Browse and see that I probably need to upload a php reverse shell so I type that into Google.
I click on the first result and grab the reverse shell from there.
I open up a new text file named image.php with the gedit command.
Paste the php reverse shell that I just found on GitHub.
Click Browse and find the image.php file and click Save changes.
I want to create a listener on the port that I just specified in the script.
Now I go to the webpage where I uploaded my script.
The listener is now working and I have a reverse shell so I start navigating the file systems.
I found the user flag.