TJnull OSCP Prep Series

HackTheBox: Nibbles [OSCP Prep]

  • OS: Linux 🐧
  • Difficulty: Easy πŸ˜‡
  • Release: 13 Jan 2018 πŸ“…
  • IP: πŸ’»
  • Box Creator: mrb3n 😎

Hello there guys. Welcome to my 9th post on the TJnull OSCP Prep Series. Today we’re going to be discussing Nibbles from HackTheBox.

Let’s begin with a full Nmap scan port scan to see what open ports we can find. I’ve used Rustscan because it provides faster Nmap results:

$ rustscan -a -r 1-65535 -- -sV -sC -Pn
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 22:51
Completed NSE at 22:51, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 26.68 seconds

Nmap discovers 2 ports open: ssh (22), HTTP (80).

HTTP enum

Looking at the page source you will find an interesting comment specifying a web directory

Figure 1.0

Going to we see a nibbleblog CMS running.

Figure 1.1

Doing some directory busting I found README file which contains version information of the current nibbleblog running.

Figure 1.2

I tried the default credentials for nibbleblog but they did not work. So I tried brute-forcing admin credentials.

Figure 1.3

Found admin credentials => admin : nibbles


If you’ve searched for any exploits for nibbleblog v4.0.3, there is an unrestricted file upload vulnerability. Have a look at this article on how to exploit this unrestricted file upload vulnerability manually.

Activate “my image” plugin by visiting the following URL:

Upload your file. In this case I’m uploading a PHP shell

Figure 1.4 : Upload your file

Now you should find the file you uploaded laying in this path : /nibbleblog/content/private/plugins/my_image/<upload-file-name>

Figure 1.5 : Reverse shell connection

Post Exploitation

When it comes to privsec, my first goto is to look for kernel exploits for easy wins. Here’s the output of linux-exploit-suggester

Figure 1.6

You can find the exploit here. Compile it

gcc cve-2017-16995.c -o cve-2017-16995

Move the compiled executable to the target and execute

Figure 1.7

Instant root access.

I hope you have learned something valuable by reading my write-up. If you like this post please share it with your fellow hackermates and if you have any questions & suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

If you enjoyed this write-up show me some ❀️ by giving me some respect πŸ’― at [email protected] which helps & motivates me to create content like this for the awesome hacking community. Have a great day guys πŸ‘‹. See you in the next post.

Notify of
Inline Feedbacks
View all comments
Share via
Copy link
Powered by Social Snap