, ,

HTB : Nibbles



  • Directory enumeration revels hidden information
  • Login page credentials are simple
  • RCE can be done from plugins
  • Privilege execution can be achieved by editing a monitor script


Run nmap scan to find for open ports.

Port 80

View source gives a clue.

Run a gobuster scan to find for hidden directories.

Main site does not bring in much directories, tried it with the nibbleblog sub directory.



Readme indicates the version of the interface.

After sometime bruteforcing the login page , I tried the name of the box and access is gained.


Found an exploit without the use of metasploit

Head to the plugins My image page and upload a php reverse shell.

Start a nc listener and activate the reverse shell script.

User access gained.

User flag found.

Privilege escalation

Check for sudo permisions.

Looks like some kind of server health monitoring script.

Let’s echo a shell in monitor.sh and root access is gained.

Root flag is found

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: