Nibbles HTB Writeup

Hi Everyone, today I pwned ‘nibbles’ machine on HTB.

Started with enumeration TCP ports and services. I scanned UDP ports simultaneously while enumerating further TCP ports but till then got a root access. We get back the following result showing that two ports are open:

Port 80: running Apache httpd 2.4.18
Port 22: running OpenSSH 7.2p2

As usual, searched on browser. However, no functionality were present so checked the page source where ‘/nibbleblog’ directory found.

By visting the nibbleblog directory on the target machines, I found at the bottom that it is powered by Nibbleblog. This is an indication that it an off the shelf software as apposed to custom software.

To confirm that, let’s google Nibbleblog which is nothing but an open-source engine for creating blogs using PHP which has previously reported vulnerabilities.

After that, I decided to run Gobuster to enumerate directories and find nibbleblog version number.

I found the nibbleblog version number in the ‘/README’ directory.

The important takeaways were that, it’s a code execution vulnerability. The vulnerability is in the “My image” plugin that allows the upload of PHP files. So it would allow us to upload a PHP reverse shell. As it’s an authenticated vulnerability which means that we need admin credentials before we exploit this vulnerability.

The ‘/admin.php’ were asking for a credentials so tried all the default password combination and password cracking tool but no luck. I spent most of the time here on this then tried ‘admin:nibbles’ and worked like a charm.

In the plugins functionality of the webpage, I found a file upload functionality so decided to modify and upload ‘php-reverse-shell’ file as ‘image.php’

The file was uploaded on the target server and can be found at below path and started a netcat listener.

I found a reverse shell and user flag :)

The below command was to check what privileges I have as nibbler user and found out that it is possible to run the script monitor.sh in the above specified directory as root without having to enter a root password.

Just to see what the script contains, I found out that the below file/directory does not exist that means I can create a new one with the same name and We simply echo /bin/bash into the monitor.sh file.

> cat home/nibbler/personal/stuff/monitor.sh