NIbbles

@elio said:
Anyone willing to help me? I’m stuck at the very last step. You can PM me, no spoilers please

EDIT: So when executing a certain command in the xxx.sh file it says that it’s not able to resolve the hostname. I’m pretty sure I understand how to use xxx.sh but that command makes my terminal hang and gives me that weird error. Hints?

I had the same issue with the shell, but I managed to complete the challenge. I just had to wait a bit in order to run the code.

P.S If you are sure that what you are doing is the right thing but it does not work, take a good break and re-check it. It worked in my case.

@onlyamedic said:

@ashishjv1 said:
Got Root ! Now what ?

Onto the next box :slight_smile:

Indeed ! :slight_smile:

If anyone can lend a hint for root, that would be great. PM Me

@bukkits said:

@shane2483 said:
So I can not spawn a TTY shell and keep getting errors when I run sudo command.
I have tried every Spawning method on several sites.

when I try to spawn a TTY

can’t access TTY job control turned off

When I run sudo: (i assume because i dont have TTY)

: unable to resolve host Nibbles: Connection timed out
: no tty present and no askpass program specified

Im at the very end. Going on my third day and just cant get this .sh file to play nicely.

I’m stuck on this exact step too

Make it three. I’ve exhausted much of my knowledge and research, and I see the file that everyone is talking about, but I can’t seem to do anything with it.

If someone can send a PM for help, it would be appreciated.

@TheCanisLupus said:
The fact that there is no single post about Nibbles makes me feel even more stupid but whatever … I need help
I kind of know what the vulnerability is but cant find log in details for the blog
Any one can point me in right direction please ?
thanks

I am newb and i am stuck someone assit me please

Finally got Root

so i have got to the point of logging thanks to some tips Blackarrow gave me now i am stuck i have the username but no password i guess ill keep trying it.

Eh, I am really stuck. I tryied this box several times now. I crawled website, directories, find out xml with username, but I am not able to guess password. Whatever I tryied, i failed. My combos of usr/pwd do not work at all.
Could you please hint me for creds for login page?

@karelchajim said:
Eh, I am really stuck. I tryied this box several times now. I crawled website, directories, find out xml with username, but I am not able to guess password. Whatever I tryied, i failed. My combos of usr/pwd do not work at all.
Could you please hint me for creds for login page?

nevermind. got it. ■■■

@karelchajim said:
@karelchajim said:
Eh, I am really stuck. I tryied this box several times now. I crawled website, directories, find out xml with username, but I am not able to guess password. Whatever I tryied, i failed. My combos of usr/pwd do not work at all.
Could you please hint me for creds for login page?

nevermind. got it. ■■■

hey bro can you pm hint on pass word i am stuck same as you at this point

Some one help is it becuase this server is retired or i am not able to export exploit some getting this error help

Exploit completed, but no session was created.
msf exploit(multi/http/nibbleblog_file_upload) > exploit

[] Started reverse -----------======
[!] This exploit may require manual cleanup of ‘image.php’ on the target
[
] Exploit completed, but no session was created.
getting

Rooted thank you learned alot trying to root this machine.

rooted

I am also stuck with same issue any solution for this ?

@it4chi said:
I keep getting ‘This exploit may require manual cleanup of ‘image.php’ on the target’ when i try the nibbleblog exploit. Already tried resetting it, did not help.
Any idea what else i can do

Alright, so I got user easily, but I’m having trouble with root. I feel like I’m literally at the last step. I keep running ******.sh as sudo, but get a ‘command not found’ error every time. What am I missing?

EDIT – Nevermind. R00ted. :wink:

Hey laylow, how did you solve this issue?

@laylow said:

Some one help is it becuase this server is retired or i am not able to export exploit some getting this error help

Exploit completed, but no session was created.
msf exploit(multi/http/nibbleblog_file_upload) > exploit

[] Started reverse -----------======
[!] This exploit may require manual cleanup of ‘image.php’ on the target
[
] Exploit completed, but no session was created.
getting

It seems only to be a problem for a few of us running the exploit…
Hope you can help

I rooted this today after having the ‘exploit completed, but no session was created’ problem. I fixed it by typing the following into msfconsole (after selecting the exploit):

set lhost tun0

Simple fix, hopefully works for anyone else who has that problem.

1 Like

Ive gone through everyone’s comment who have the problem
Started reverse -----------======
[!] This exploit may require manual cleanup of ‘image.php’ on the target
Exploit completed, but no session was created.

Ive tried resetting the machine and my vpn connection. Ive had no luck. Ive read through the documentation. Idk what Im doing wrong.

here are my settings on the metasploit too

PASSWORD nibbles yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][…]
RHOSTS 10.10.10.75 yes The target host(s), see https://github.com/rapid7/metasploit-framewo
rk/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /nibbleblog/ yes The base path to the web application
USERNAME admin yes The username to authenticate with
VHOST no HTTP server virtual host

I’ve done this box last weekend as well. If you use some Google Fu you can find an manual exploitation manual. It is well written on that website. Remember that on your Kali probably the well known pentest monkey is available to use while you are exploiting it manually

fixed my error message thanks!