Hack the Box is an online platform to test and advance your skills in penetration testing and cyber security.

In this series of articles we will show how junior evaluators complete some Hack The Box machines in their road to OSCP, a well-known, respected, and required for many top cybersecurity positions certification. Certified OSCPs are able to identify existing vulnerabilities and execute organized attacks in a controlled and focused manner. They can leverage or modify existing exploit code to their advantage, perform network pivoting and data exfiltration, and compromise systems due to poor configurations.

Let's start with the fun!

Nibbles

Initial Foothold

The source code for the web page mentions a directory called: nibbleblog.

We can find the source code for nibbleblog here: Nibbleblog. We see there is an admin page at: admin.php. We find a login page.

This is stupid, the creds are admin:nibbles. Found out by looking at the forum thread...

Looking around, we can't find anythin interesting. Let's try: searchsploit nibbleblog. There is authenticated LFI for version 4.0.3. POC.

User

1. Install My Image Plugin: http://10.10.10.75/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
2. Upload php reverse shell through the web interface. Ignore warnings.
3. Set up listener.
4. Visit: http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php.

Root

There is a file called personal.zip on nibbler's home. Unzipping it we find a bash script called monitor.sh.

Let's see sudo -l:

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

Unzipping the file places the script monitor.sh exactly at the location mentioned by sudo -l. Clear the contents of the script and just add:

#!/bin/bash
/bin/bash

Then chmod +x monitor.sh and sudo /home/nibbler/personal/stuff/monitor.sh = root shell.