Enumeration(Nmap):

HTTP(80):

nmap -sV --open -oA nibbles_initial_scan nibbles.htb
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

apache version is vulnerable to a lot of things but let’s follow the academy path

in source code a directory is mentioned. http://10.129.233.28/nibbleblog/

Directory enum:

obliteration@htb[/htb]$ gobuster dir -u <http://10.129.42.190/nibbleblog/> --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt

/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/admin (Status: 301)
/admin.php (Status: 200)
/content (Status: 301)
/index.php (Status: 200)
/languages (Status: 301)
/plugins (Status: 301)
/README (Status: 200)
/themes (Status: 301)

/README had version number confirming php rce in metasploit.

http://nibbles.htb/nibbleblog/themes/ is also 200 and is a dir listing:

Up to this point, have the following pieces of the puzzle:

• A Nibbleblog install potentially vulnerable to an authenticated file upload vulnerability
• An admin portal at nibbleblog/admin.php
• Directory listing which confirmed that admin is a valid username