GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>
Writeup - Nibbles (HTB)
3 min read

Writeup - Nibbles (HTB)

Writeup - Nibbles (HTB)

This is a writeup for the Nibbles machine from the HackTheBox site.


First, let's start with a scan of our target with the following command:

nmap -sV -T4 -Pn

Two TCP ports are discovered:

  • 22/tcp : SSH port (OpenSSH 7.2p2)
  • 80/tcp : HTTP web server (Apache 2.4.18)


Looking at the source code of the web page I found the following comment:

<!-- /nibbleblog/ directory. Nothing interesting here! -->

So I go to this new page:

I then search the pages present on the site with ffuf.

One page is particularly interesting: admin.

So I try to brute force the password of the admin user with the hydra command.

Although the command finds several results it does not work. Indeed there is an anti-brute force security. So I try to test common passwords and after a few tries I find the following credentials: admin/nibbles.

It's good but rather frustrating not to have found a more legit way. After some research I find a solution online to test passwords taking into account the anti brute force: brute force version.

I can now connect to the admin panel! After going through the panel, I find the following page where you can upload images.

So I try to send a reverse shell in php, then I go to the following link to execute it:

I now have a reverse shell as a nibbler and I can get the first flag.

Privilege escalation

I start by checking the sudo permissions of my user:

I find it in my personal folder a .zip file, I unzip it :

The script can be modified by myself and can be executed as root. I put the following content in the script :

mkdir /root/.ssh
touch /root/.ssh/authorized_keys
echo 'id_rsa' > /root/.ssh/authorized_keys

This will create the SSH folder of the root user and then add my key in the authorized_keys. To execute the script I use the following command:

sudo -n ./

I can now log in as root and get the last flag.


To patch this host I think it would be necessary to perform a number of actions:

  • Do not leave important comments in HTML code
  • Update NibbleBlog to fix file upload problem
  • Do not let user-modifiable scripts be executed by the root user

Owned Nibbles from Hack The Box!
I have just owned machine Nibbles from Hack The Box