Kappa

“Great things are not done by impulse, but by a series of small things brought together.”

Getting Started

• Nibbles - Enumeration
• ~ Nibbles - Web Footprinting
• Nibbles - Initial Foothold

Nibbles - Web Footprinting

We can use whatweb to try to identify the web application in use.

kappajester83@htb[/htb]$ whatweb 10.129.42.190
http://10.129.42.190 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.42.190]

This tool does not identify any standard web technologies in use. Browsing to the target in Firefox shows us a simple "Hello world!" message. Checking the page source reveals an interesting comment.

• https://academy.hackthebox.com/storage/modules/77/nibbles_hello2.png
• https://academy.hackthebox.com/storage/modules/77/nibbles_comment1.png

We can also check this with cURL.

kappajester83@htb[/htb]$ curl http://10.129.42.190

The HTML comment mentions a directory named nibbleblog. Let us check this with whatweb.

kappajester83@htb[/htb]$ whatweb http://10.129.42.190/nibbleblog

          http://10.129.42.190/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.42.190], RedirectLocation[http://10.129.42.190/nibbleblog/], Title[301 Moved Permanently]
          http://10.129.42.190/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.42.190], JQuery, MetaGenerator[Nibbleblog], PoweredBy[Nibbleblog], Script, Title[Nibbles - Yum yum]
        

Now we are starting to get a better picture of things. We can see some of the technologies in use such as HTML5, jQuery, and PHP. We can also see that the site is running Nibbleblog, which is a free blogging engine built using PHP.

Directory Enumeration

Browsing to the /nibbleblog directory in Firefox, we do not see anything exciting on the main page.

• https://academy.hackthebox.com/storage/modules/77/yumyum_.png

A quick Google search for "nibbleblog exploit" yields this Nibblblog File Upload Vulnerability. The flaw allows an authenticated attacker to upload and execute arbitrary PHP code on the underlying web server. The Metasploit module in question works for version 4.0.3. We do not know the exact version of Nibbleblog in use yet, but it is a good bet that it is vulnerable to this. If we look at the source code of the Metasploit module, we can see that the exploit uses user-supplied credentials to authenticate the admin portal at /admin.php.

Let us use Gobuster to be thorough and check for any other accessible pages/directories.

kappajester83@htb[/htb]$ gobuster dir -u http://10.129.42.190/nibbleblog/ --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt

          ===============================================================

          Gobuster v3.0.1

          by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
          ===============================================================

          [+] Url:            http://10.129.42.190/nibbleblog/
          [+] Threads:        10
          [+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
          [+] Status codes:   200,204,301,302,307,401,403
          [+] User Agent:     gobuster/3.0.1
          [+] Timeout:        10s
          ===============================================================
          2020/12/17 00:10:47 Starting gobuster
          ===============================================================
          /.hta (Status: 403)
          /.htaccess (Status: 403)
          /.htpasswd (Status: 403)
          /admin (Status: 301)
          /admin.php (Status: 200)
          /content (Status: 301)
          /index.php (Status: 200)
          /languages (Status: 301)
          /plugins (Status: 301)
          /README (Status: 200)
          /themes (Status: 301)
          ===============================================================
          2020/12/17 00:11:38 Finished
          ===============================================================
        

Gobuster finishes very quickly and confirms the presence of the admin.php page. We can check the README page for interesting information, such as the version number.

kappajester83@htb[/htb]$ curl http://10.129.42.190/nibbleblog/README

          ====== Nibbleblog ======
          Version: v4.0.3
          Codename: Coffee
          Release date: 2014-04-01

          Site: http://www.nibbleblog.com
          Blog: http://blog.nibbleblog.com
          Help & Support: http://forum.nibbleblog.com
          Documentation: http://docs.nibbleblog.com

          ===== Social =====
          * Twitter: http://twitter.com/nibbleblog
          * Facebook: http://www.facebook.com/nibbleblog
          * Google+: http://google.com/+nibbleblog

          ===== System Requirements =====
          * PHP v5.2 or higher
          * PHP module - DOM
          * PHP module - SimpleXML
          * PHP module - GD
          * Directory “content” writable by Apache/PHP
          ...SNIP...
        

So we validate that version 4.0.3 is in use, confirming that this version is likely vulnerable to the Metasploit module (though this could be an old README page). Nothing else interesting pops out at us. Let us check out the admin portal login page.

• https://academy.hackthebox.com/storage/modules/77/nibble_admin.png

Now, to use the exploit mentioned above, we will need valid admin credentials. We can try some authorization bypass techniques and common credential pairs manually, such as admin:admin and admin:password, to no avail. There is a reset password function, but we receive an e-mail error. Also, too many login attempts too quickly trigger a lockout with the message Nibbleblog security error - Blacklist protection.

Let us go back to our directory brute-forcing results. The 200 status codes show pages/directories that are directly accessible. The 403 status codes in the output indicate that access to these resources is forbidden. Finally, the 301 is a permanent redirect. Let us explore each of these. Browsing to nibbleblog/themes/. We can see that directory listing is enabled on the web application. Maybe we can find something interesting while poking around?

• https://academy.hackthebox.com/storage/modules/77/nibbles_dir_listing.png

Browsing to nibbleblog/content shows some interesting subdirectories public, private, and tmp. Digging around for a while, we find a users.xml file which at least seems to confirm the username is indeed admin. It also shows blacklisted IP addresses. We can request this file with cURL and prettify the XML output using xmllint.

kappajester83@htb[/htb]$ curl -s http://10.129.42.190/nibbleblog/content/private/users.xml | xmllint --format -

At this point, we have a valid username but no password. Searches of Nibbleblog related documentation show that the password is set during installation, and there is no known default password. Up to this point, have the following pieces of the puzzle:

• A Nibbleblog install potentially vulnerable to an authenticated file upload vulnerability
• An admin portal at nibbleblog/admin.php
• Directory listing which confirmed that admin is a valid username
• Login brute-forcing protection blacklists our IP address after too many invalid login attempts. This takes login brute-forcing with a tool such as Hydra off the table

There are no other ports open, and we did not find any other directories. Which we can confirm by performing additional directory brute-forcing against the root of the web application

kappajester83@htb[/htb]$ gobuster dir -u http://10.129.42.190/ --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt

          ===============================================================
          Gobuster v3.0.1
          by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
          ===============================================================
          [+] Url:            http://10.129.42.190/
          [+] Threads:        10
          [+] Wordlist:       /usr/share/seclists/Discovery/Web-Content/common.txt
          [+] Status codes:   200,204,301,302,307,401,403
          [+] User Agent:     gobuster/3.0.1
          [+] Timeout:        10s
          ===============================================================
          2020/12/17 00:36:55 Starting gobuster
          ===============================================================
          /.hta (Status: 403)
          /.htaccess (Status: 403)
          /.htpasswd (Status: 403)
          /index.html (Status: 200)
          /server-status (Status: 403)
          ===============================================================
          2020/12/17 00:37:46 Finished
          ===============================================================
        

Taking another look through all of the exposed directories, we find a config.xml file.

kappajester83@htb[/htb]$ curl -s http://10.129.42.190/nibbleblog/content/private/config.xml | xmllint --format -

Checking it, hoping for passwords proofs fruitless, but we do see two mentions of nibbles in the site title as well as the notification e-mail address. This is also the name of the box. Could this be the admin password?

When performing password cracking offline with a tool such as Hashcat or attempting to guess a password, it is important to consider all of the information in front of us. It is not uncommon to successfully crack a password hash (such as a company's wireless network passphrase) using a wordlist generated by crawling their website using a tool such as CeWL.

• https://academy.hackthebox.com/storage/modules/77/nibbles_loggedin.png

This shows us how crucial thorough enumeration is. Let us recap what we have found so far:

• We started with a simple nmap scan showing two open ports
• Discovered an instance of Nibbleblog
• Analyzed the technologies in use using whatweb
• Found the admin login portal page at admin.php
• Discovered that directory listing is enabled and browsed several directories
• Confirmed that admin was the valid username
• Found out the hard way that IP blacklisting is enabled to prevent brute-force login attempts
• Uncovered clues that led us to a valid admin password of nibbles

This proves that we need a clear, repeatable process that we will use time and time again, no matter if we are attacking a single box on HTB, performing a web application penetration test for a client, or attacking a large Active Directory environment. Keep in mind that iterative enumeration, along with detailed notetaking, is one of the keys to success in this field. As you progress in your career, you will often marvel at how the initial scope of a penetration test seemed extremely small and "boring," yet once you dig in and perform rounds and rounds of enumeration and peel back the layers, you may find an exposed service on a high port or some forgotten page or directory that can lead to sensitive data exposure or even a foothold.

VPN Servers

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.

Existing PwnBox instances will automatically switch to the new VPN server.

Getting Started

1. Infosec Overview
2. Getting Started with a Pentest Distro
3. Staying Organized
4. Connecting Using VPN
5. Common Terms
6. Basic Tools
7. Service Scanning
8. Web Enumeration
9. Public Exploits
10. Types of Shells
11. Privilege Escalation
12. Transferring Files
13. Starting Out
14. Navigating HTB
15. Nibbles - Enumeration
16. ~ Nibbles - Web Footprinting
17. Nibbles - Initial Foothold
18. Nibbles - Privilege Escalation
19. Nibbles - Metasploit
20. Common Pitfalls
21. Getting Help
22. Next Steps
23. Knowledge Check