HTB - Nibbles without MetaSploit
Easy box, according to HTB notation, also not a very good user’s rating. Let’s see what it is about!
Quick recon according to logo and info :
- Linux box ;
- Misc : web, misconfiguration.
nmap scan :
Let’s enumerate web folders in CLI, for a change :
This won’t give us much information, however by browsing to the website and checking its source we find a new URL :
gobuster one more time, with this new URL :
It will reveal juicier info, such as
install.php will tell us the site is already installed and propose to upgrade it which will eventually leak
NibbleBlog version 4.0.3 :
By checking source code on Github, we also find juicy directory in
searchsploit we find that our version is vulnerable to Authenticated Arbitrary File Upload. It means we need to get the credentials.
By looking inside the users.xml file we can suppose that
admin is the login.
Now, we could try to brute force the admin area, however it won’t be effective since Nibbleblog will temporarily block our IP after a few attempts:
Here, again, I spent way more time than I care to admit. You have to find the password, but can’t “crack” it which means we have to guess it. I tried a lot of stuff… but couldn’t find it, so I cheated… again!
We know the password is
admin, and the password is
nibbles, like the box’s name (which I tried), but I uesd a capital
Now that we have our credentials, we can finally start playing with the CVE we found earlier! Since, we are trying to solve this without MetaSploit, we need to find a manual way to exploit our target.
Getting initial shell
Let’s create a [php shell(https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php)], thanks to Pentest Monkey and upload it via the Image plugin located at
http://$target_ip/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image, then we will run shell my going to this URL :
http://$target_ip/nibbleblog/content/private/plugins/my_image/image.php. The filename will always be
ext being the “real” extension.
NB : do not forget to start your listener :
nc -nlvp 1234.
And we are in, unfortunately as
nibbler and not
Let’s still grab the user flag :
And now… we need to escalate our priv!
Before we can have a chance to elevate our privs, we should do more internal recon.
We’ll upload LSE, in order to check for any “entry points” to privileges escalation.
We will serve our script via
sudo python2 -m SimpleHTTPServer 80 since our target doesn’t seem to resolve Github’s domain’s and download it with
Once it downloaded, give it exec right, then run it. Something interesting will come up :
This means that we’ll be able to run anything as
root as long as it is in
All right! Let’s try to run a reverse shell :
Now we run it :
NB : don’t forget to start the listener on your attacking machine.
And that’s it, we have root :
And we grab the last flag :
Let me be blunt. Getting the admin’s password sucked, and was no fun at all. By judging from the comments on the forum and the poor notation, I guess I wasn’t the only one really frustrated while trying to get initial access. However, once I was in, while it was pretty easy, it was also super fun and really enjoyed this box!