This is 4th HackTheBox Write-up series. Today, I will talk about Nibbles machine which is very very easy machine. Even if it is easy, people usually makes the most mistakes in simple points or gets stuck. Anyway, Let’s pwn this machine.
nmapAutomator.sh <MACHINE-IP> Full
Just two ports openning. 80 (http - Apache 2.4.18) and 22 (ssh - OpenSSH 7.2p2)
When we visit web site in web browser, “Hello world” message welcome us. Since the machine is easy, first thing is to investigate page source. Probably, there could be a tip in here :)
We can see following comment in page source that is a directory name.
<!-- /nibbleblog/ directory. Nothing interesting here! -->
It directs us to a blog site. You can see important info in footer that this site is powered by Nibbleblog that is CMS like Wordpress, Joomla etc. Furthermore, Nibbleblog version may be guide to us. Let’s go to directory scanning for more enumeration.
gobuster dir -w <WORD-LIST> -u 10.10.10.75/nibbleblog -t 50
README and admin directories could be considerable. When we visit both directories, README directory has Nibbleblog version and admin directory has login page.
README page’s content is starting following information;
====== Nibbleblog ======
Admin page is
We google sw name and version, we find this exploits that is shell uploading vulnerability. This is what we are looking for :)
To using this exploits, We must have admin page credentials. Also, Nibbleblog must have “My image” plugin.
As I said at begining, the machine is easy. To find admin credentials, I tried following username and passowrd.
- admin - password
- admin - admin
- nibbles - nibbles
- admin - nibbles is correct credentials.
To get reverse shell, go to pentestmonkey then upload as image.php.
Visit following url for getting reverse shell.
We check which files run with sudo via
bash sudo -l command. Nibbler users runs “monitor.sh” as root.
We can run following bash script in defined path as monitor.sh for getting root.
We are root!