Lame

Type: Linux

Difficuility: Easy

Link: https://app.hackthebox.com/machines/Lame

IP Address: 10.10.10.3

Enumeration

• Run nmap: sudo nmap -sC -sV -p- -Pn -oA Nibbles 10.10.10.75

Nmap Results

• 22/tcp is SSH and is secure by default (not many CVEs) so skip it

• 80/tcp is HTTP, start running gobuster and enumerate the site manually

Website

View the page source

• In the page source we found a directory (\/nibbleblog) (Started fuzzing this directory)

Gobuster Results

• On the README page, we found multiple valuable information like the version of the system.

README page

• I searched for a CVE for this version and found one but it needs credentials (2015-6967).

• Check the admin page and try default credentials (I tried many different combinations admin/admin, root/root, etc.. but nothing worked, so I checked other writeups to make sure I was not down a rabbit hole and turned out it's just admin/nibbles)

• I used the reverse shell from pentest monkey (https://pentestmonkey.net/tools/web-shells/php-reverse-shell) and did the exploit manually by going to plugins and uploading it to My Image

Plugins Page

• It shows errors after uploading but it's meaningless (It says changes saved successfully)

Uploading the shell

• I checked what commands we can run as sudo by using the command sudo -l

sudo -l command output

• There is a monitor.sh shell file that we can run as root without a password.

• When I tried to access the directory that contains the monitor.sh file I got the message that there is no such directory.

Personal.zip file

• The directory is in the personal.zip, so I unzipped the file (unzip personal.zip) and then typed my code into the shell (echo "/bin/sh/" > monitor.sh) This is just a lazy way to spawn a shell as root instead of getting a reverse shell.

Privilege Escalation

Flags:

User Flag

Root Flag