< Nibbles

Alright Alright, I know all 0 of my fans have just been DYING for my first post

but fear not I shall deliver.... with a really easy box from hackthebox.


Okay so admittedly I got stuck on guessing the admin password on this machine, BUT

in my defense; is guessing passwords reeeaaalllyy a "1337 HaX0r" skill? I mean OK sure maybe

but usually that's more through social engineering not through


"Oh weLl tHe wEbSiTe nAmE Is x, SO SURELY tHE aDMin pAsSwoRd iS X"

-read that in your annoying co-workers voice-


But yea actually guessing the admin password was by far the hardest thing to do in this box.

Okay onto the meat here


So I spin on the target machine and do what every 1337 h3xor does and ran a quick nmap scan

on my target. Now personally I use the command:


sudo nmap -sSCV [target-ip] -oN nmap


For those unfamiliar nmap is a tool used to map out networks, However it can also do more

like scan websites or ip-addresses and it'll let you get some basic information about whatever you're scanning

the options I used -sSCV are normally written seperately but I'm lazy and put it all together, what it does is a

stealth scan (-sS), script scan (-sC), version scan (-sV), and -oN is just output to a file (nmap)

these options together will give me a pretty quick visual of my target and let me know what's going on


After running my first nmap scan I find out that only port 22 and port 80 are open on the machine.

On port 22 we have a ssh service (SHOCKING!!!!)

On port 80 we have a website being hosted (ALSO SHOCKING!!!!)

For those who don't know anything about servers this is very much non-SHOCKING!!!! information


Before visiting the website I run a simple nmap --script=vuln [target-ip] -oN vuln

however this didn't yield any useful vulnerabilities in the website and will be ignored


With my initial scanning done and out of the way I head on to the website

Once the website loaded in, it was completely blank besides the words:

Hello World!

yeaaaa....... that's some pretty lame junk

So I did what any normal person would do when greeted with an 'empty' page

and I inspected the hell out of that element


a.k.a. I looked at the html code (and if you really don't know what inspect element is, just google it and come back here afterwords)


But yes after inspecting the source code I found a comment that told me:

/nibbleblog/ directory. Nothing interesting here!

if you really thought that nothing would be in that directory, man leave my website I can't turn everyone into a critical thinker

naturally I added /nibbleblog/ to the ip address of the website

and tada! Like magic we get the actual website!

this isn't too crazy though as now we're stuck at a deadend as we're forced to look at an unused blogging website


I went through the website looking around clicking things whatever but

after a few minutes of looking around I realized there wasn't much to do on this page and decided it was time to do some


Directory Busting

*explosion sounds*


Yea dir busting sounds a lot cooler than it is

But the main gist of it just searching for hidden files/web folders so I can maybe see some things I'm not supposed to

To start this I run a gobuster command


gobuster dir -w [wordlist] -u [target-ip]/nibbleblog -b 404 -x .php


okay a quick tear-down of whats happening with that command

I'm using the dir option because I'm looking to enumerate files/directories

-w is just what wordlist I want to use I usually go for stuff I find in the SecLists dictionaries

-u is the url of the website

-b is so files that return error 404 don't come up in my results (yk 404 as in page not found)

-x .php is used as a file extension to look for, specifically .php files

the reason I'm looking for php files is because I know that the website uses php (I know this because of the wappalyzer firefox plugin lol)


After my gobuster scan finishes busting I'm left with a handful of directories and files, most notably the:

admin/ directory, admin.php, and a README file

I like to look at the simple things first so I tried looking into the README file

my other reason for doing so, is because it tells me to readit


In the README file I was able to find out that the website is built using an existing framework called


NibbleBlog!


Look at that, full circle, from the README I also find out the version of Nibbleblog that's running

nibbleblog 4.0.3 was running on the website and who would've guessed it, when searched up you can actually find that it has a rce vulnerability!

rce==Remote Code Execution, which basically means your webisite is mines

....sorta

unfortunately the exploit requires access to an admin account

yea that sucks HOWEVER we now have a true target a simple one too, we just gotta get the admin password and username

easier said than done though


so it's time to check out the other eye-catching discoveries I made

so to keep things short, admin.php requires me to login as an admin account, and the admin directory lets me see a whole bunch of files I shouldn't see

I shot a couple of passwords and usernames at the admin login page and I was unsuccessful

this led me to go through the admin directory for information

to make a long story short I got nothing but headaches out of the admin directory


Now I only mentioned the interesting named directories I found in my gobuster search

the other directories I found were

content/, themes/, plugins/, plugins/, and languages/

I tried going into the content directory and was greeted with a few more directories, the most intriguing one was labeled


private


Of course I just had to check it out, what did I find????

a bunch of lame .xml files, although one of them had a list of all the users on the website

normally thats a pretty nice find, but since this is a ctf and this nibbleblog really lacked content

there was only an admin account listed on the user list

so now we have an admin username (it was just admin lol), all we need is a password and boom we can run our exploit and be all

#1337 #pwn'd and junk


So I went back to the admin.php page and tried a bunch of passwords for the admin account

now I'm lazy and don't like using brute forcing methods of password cracking since it's time consuming and can often give 0 results while cracking user 1 account

so I spent a lot of time here looking around for a password, I mean I dug through a lot of the files on the server, used default passwords, etc.

when none of that worked I just looked up the password for the box, I really prefer to not bruteforce. PLUS cheating is usually 10x faster than a bruteforcing attempt!

turns out the password was nibbles...


You know hey I tried putting in nibble, nibbleblog, nibbleblogrulez

but sometimes a password is just toooooo good for the average guesser

(good thing I'm a below average guesser amirite heyooooooooo ;( )


so now I had everything I needed, the admin account credentials our exploit some slight disappointment, the usual

I ran a nice metasploit exploit and boom look at that I had a nice reverse shell on the target webserver

however I was still a low priviledged user, born poor in the lower class of this corrupt filesystem ;(

but that was going to change after I got my local linux exploit suggester into the game


alright so first I guess I should say this is the post exploitation part

I basically can do whatever I want a website at this point, but as this is a ctf I would like to become the root user

root is like the windows admin account but for smelly linux nerds, if we can get it, this server becomes mines


In order to get root account I run my local exploit suggester to find out if the server machine is vulnerable to any known exploits

and turns out this is an unpatched server with a good amount of exploits, but I ran with a reliable exploit called dirtyCOW

I never really used it before but I'm somewhat familiar with it, who knows maybe I'll go over the exploit on this little loser-hole site

anywho I compiled the dirtyCOW exploit on my laptop and uploaded it to the webserver so I can run the exploit


also all file uploads after the post exploitation is done with the meterpreter upload function

(nc listeners are annoying sometimes okay)


and finally I was able to run my local dirtyCOW exploit

for the noobs dirtyCOW allows me to go from a low-level user on a linux machine to the root user through some weird C magic

after running dirtyCOW, I got root access and that was about it, I went and grabbed both the user and root account flags and submitted it into hackthebox

box pwn'd

only took a shortcut on the brute force/guessing route




anyways if you made it to the end and read everything, wow okay go to sleep bud

also thanks for reading you should like.... idk follow my neocities page?? it'd be cool

also if you wanna talk I'm always down you can message me on discord

geocube333#3053

I'll make this page look prettier tomorrow

Oh and remember


don't sell out your hacking abilities, save the world instead