Start by storing the target IP and your own tunnel interface IP in environment variables. You'll type them dozens of times — this eliminates typos.
Run a full TCP port scan with version detection and default scripts. Scanning all 65535 ports instead of just the top 1000 prevents missing services on non-standard ports.
| Flag | Meaning |
|---|---|
-sC | Run default NSE scripts — grabs banners, checks for common misconfigurations |
-sV | Version detection — identifies what software is actually running on each port |
-p- | Scan all 65535 ports, not just the default top 1000 |
--min-rate 5000 | Send at least 5000 packets/sec — significantly speeds up the scan |
-oN | Save output to a file — always save nmap results, you'll reference them later |
Visiting http://10.129.5.88 shows a near-empty page with just "Hello world!". Before moving on, always view the page source — developers frequently leave comments, hidden paths, or credentials in HTML that aren't visible on screen.
/nibbleblog/. Navigating there reveals a PHP blog running on Nibbleblog. The developer's comment saying "nothing interesting here" is exactly wrong — it's the entire attack surface.With a web application identified, map out everything inside it using a directory bruter. Feroxbuster is fast, recursive, and handles extension fuzzing in one pass.
| Flag | Meaning |
|---|---|
-x xml | Also try .xml extensions — important since Nibbleblog stores all its data in XML files |
-t 100 | 100 concurrent threads — aggressive but fast on HTB |
--scan-dir-listings | When a directory listing is exposed, recursively enumerate those paths too |
.htaccess. Here they're open to anyone, leaking config and user data.Browse to /nibbleblog/content/private/config.xml to confirm the CMS version.
my_image plugin. The plugin accepts a file upload but does not validate the file type — uploading a PHP file gives RCE. The key word is authenticated: we need valid credentials first.The admin panel at /nibbleblog/admin.php requires a username and password. Before reaching for a wordlist, think about what we know:
· The username on small CMS installs is almost always admin
· The box is named Nibbles — on easier HTB machines, the machine name frequently relates to credentials
· The password nibbles is the obvious first guess
nibbles would never appear in the first pass of rockyou.txt. But it's the obvious guess given the machine name. Weak passwords derived from the application name, company name, or service name are extremely common in real environments — thinking before blasting saves time and avoids rate limits.admin/boot/rules/4-blacklist.bit blocks IPs that send too many failed login attempts. This is exactly why intelligent guessing is the correct approach here — a blind brute-force would get your IP blacklisted before finding the password.The my_image plugin in Nibbleblog 4.0.3 presents a file upload form intended for images. It performs no server-side file type validation — you can upload a .php file, and Apache will execute it when you visit the upload URL. This is a file upload to remote code execution vulnerability, one of the most impactful web vulnerability classes.
nibbler. The exploit uploads a PHP web shell to the my_image plugin directory and executes our command server-side. We're running code on the target — this is our foothold.The exploit gives us a command-execution proxy — each command spawns a fresh HTTP request. We can't cd into a directory and have it persist, we can't run interactive programs, and the shell is fragile. We need a real reverse shell.
A reverse shell is when the target machine connects back to us, giving an interactive terminal. We do it this way because the target is likely behind a firewall blocking inbound connections — but it can make outbound ones freely. We listen; the target calls us.
| Flag | Meaning |
|---|---|
-l | Listen mode — wait for an incoming connection |
-v | Verbose — print connection details when something connects |
-n | No DNS resolution — faster, avoids leaking lookups |
-p 4444 | Port to listen on |
Breaking down the mkfifo payload — what each part does:
The first thing to run the moment you land on a Linux machine is sudo -l. It lists every command the current user can run as root — and sudo misconfigurations are one of the most common privilege escalation paths both on HTB and in real environments.
monitor.sh as root without a password. The script is intended as a maintenance tool — but the path is inside nibbler's own home directory. We own it. We can write anything into that file.The critical insight: sudo rules grant permission to run a path, not a fixed script content. If we can write to the file at that path, we control what root executes. The script name and intended purpose are irrelevant — only the path matters.
First, the directory doesn't exist yet. A personal.zip archive in nibbler's home creates it when extracted.
Breaking down the bash TCP redirect payload:
/dev/tcp works: Linux implements /dev/tcp/HOST/PORT as a pseudo-device in bash. Opening it creates a real TCP socket — no netcat required on the target. This makes it a reliable fallback when nc, python, or other tools are unavailable.Ctrl+U before assuming a page has nothing to offer. Developers leave breadcrumbs all the time.
nibbles would never appear early in rockyou.txt. But it's the obvious guess given the machine name. Think before you blast, especially when there's a rate limiter.
searchsploit and Google effectively.
sudo -l is your first privesc check on Linux: run it the moment you land on a machine. Sudo misconfigurations are one of the most common privilege escalation paths both on HTB and in real environments.