NIbbles

No matter which shell I try, I keep getting “This exploit may require manual cleanup of ‘image.php’ on the target”. Am I missing something here?

i found what i need to find to get root.txt… clearly should be able to use it to elevate. however, when trying to utilize what i found with the proper permissions, i’m seeing this:

“: unable to resolve host Nibbles: Connection timed out
: no tty present and no askpass program specified”

any ideas here? nothing i’ve been able to do, reading up on ttys, has been able to get this to work.

I tried the solution multiple times and then spent time in a rabbit hole. When I went back to the original solution is worked.

@dvnv said:
i found what i need to find to get root.txt… clearly should be able to use it to elevate. however, when trying to utilize what i found with the proper permissions, i’m seeing this:

“: unable to resolve host Nibbles: Connection timed out
: no tty present and no askpass program specified”

any ideas here? nothing i’ve been able to do, reading up on ttys, has been able to get this to work.

Same here…WTF?

@dvnv @jc1396 Same here. I’m sure we’re all trying the same types of things, and probably very close to getting it.

Oh well, i dont know if were close enough to get that root hash. the others says that it is the same with bashed machine :slight_smile:

hint about default user and pass ?

@paytaktr said:
hint about default user and pass ?

ok. i found :slight_smile:

Hi,
I have successfully logged in, but I can’t seen to get shell on the machine, can anyone throw a hint or at least direction what to look for? it should be done by lfi? thanks.

Need help with the SQLi

@dvnv same here

How can I find the default user and password? I stuck here for a week :anguished:

For those that saw “unable to resolve host Nibbles: Connection timed out” when running a command, you can ignore it. The command still runs but thows the warning because the hostname is Nibbles, and the hosts file is missing that entry.

Hi,
Im new here and its great - something new for me. I hve question about pwd - I was lucky and found username/password combination. It’s there some other way to find that combination or just guessing? I want an answer only with yes/no. Thanks.

@blackangel said:
Hi,
Im new here and its great - something new for me. I hve question about pwd - I was lucky and found username/password combination. It’s there some other way to find that combination or just guessing? I want an answer only with yes/no. Thanks.

Not to my knowledge, but this kind of login combo is a recurring theme on this site :slight_smile:

Great, thank you.

Hi all, i got the user, but can’t have the root. can someone help me pls ?

Hey for those that have been struggling with the login credentials.

If you run the tool cewl to generate the password list from http:///nibbleblog/, then cleanup the data (remove things that are obviously not going to be the passwords). Take the remaining data and convert string to upper and lower case. You should be able to find the password. The login credentials can easily be found by enumerating sub directories using your favorite tools for finding content (burp spider worked for me) and searching the files for clues.

Note, it looks like people are changing the password periodically, so if the password doesn’t hit. Maybe a reset on the box is needed if you don’t find it during your first pass.

I hope this helps anyone that is still struggling with this box.

Regards,
DJ

pm me if u want help, but for anyone looking for root, upload and run linenum.sh as usual, maybe it turns up somin fishy?. Also, make use of the what u got :slight_smile:

Having issues still, got the user.txt. I tried to enumerate and look at cronjobs and permissions for running commands. Am I on the right track looking for commands I can run? I already got a shell out of the box but cant get root or admin access. So with an unprivileged account is looking at file directories in detail a good approach?