Hack The Box (HTB) is an online platform allowing you to test your penetration testing skills. Nibble is an easy to hack box and is meant for beginners. However, easy it may be, it gives a solid foundation for a beginner to progress.
We will use the following tools to pawn the box on a Kali Linux box
Step 1 – Scanning the network
As an initial step, before the machine is exploited, it needs to be scanned and investigated.
This is important to determine what can be exploited afterwards. It is always better to spend time on this phase to extract maximum information.
Nmap (Network Mapper). Nmap is a free and open source utility for network discovery and security auditing. Raw IP packets are used to determine hosts available on the network, services offered by those hosts, operating systems running, packet filters, firewalls in use, and many other characteristics.
Use the following command to get a basic idea of what we are scanning
nmap -sV -sC -A 10.10.10.75
-sV: Probe open ports to determine service/version info
-sC: Default script sets
-A: Aggressive scan. Enable OS detection, version detection, script scanning, and traceroute
10.10.10.75: IP address of the Nibble box
We can see that there are 2 open ports:
Port 22. SSH
Port 80. HTTP
Step 2 – Exploring the IP address
In the address bar of the browser we visit the IP address of the Nibble box 10.10.10.75. This accesses port 80. We get to see a page with “Hello World!” Upon checking the source, a directory is found, however, no significant information can be gathered.
To move further, we enumerate the directories. A list of directories is obtained, and the most enticing one is the admin directory.
This admin directory leads to a login page. On this login page we try to use the credentials:
Hooray! This lets us log in!
Step 3 – Running the Exploit
After logging in, it is found that the version is 4.0.3. We look to find the vulnerabilites for this version in the metasploit framework.
I use the following command in the metasploit framework
Metasploit is a penetration testing framework that makes hacking simple. It’s an essential tool for many attackers and defenders.
Following command is used for the exploit
This will launch the exploit. This command displays the available options.
You can see that the remote host (RHOSTS) is not yet set. RHOSTS will be the victim. Also, TARGETURI, USERNAME & PASSWORD will be set
Following command sets the remote host using the IP address of HTB Nibble box
set RHOSTS 10.10.10.75
set password nibbles
set username admin
set targeturi /nibbleblog/
Bingo! A command shell opened. Metapreter session is obtained. 🙂
Step 4 – Looking for the user.txt flag
Following command is used to list all the files/folders
Let’s move to the home folder and see what can be found
Step 5 – Looking for the root.txt flag
Now look for flag root.txt.
To open an interactive python shell the following command is used and a python file is imported to spawn the target system. We are using python3 here.
python3 -c 'import pty;pty.spawn("/bin/bash")'
In the nibbler directory we unzip the personal.zip folder using the following command and find monitor.sh script.
This monitor.sh has got sudo permission, i.e. authorization to modify this script.
In the sudo terminal, we find that the script is writable and can be used as root. If needed, it can be edited. The script is used and root is obtained.
Congrats! You found both flags!