NIbbles

I have found username but password not found. i have read all source code but nothing found. Can anyone give me hint how to find ?

You can’t find the password. You have to guess it, but it is pretty obvious. Check the pages, it has been mentioned several times.

@darthgucci said:

@4an7o said:

@darthgucci said:

@J3rryBl4nks said:
I am on the box with what I believe to be a TTY shell. I keep getting errors trying to interact with the local file I SHOULD be able to sudo without a password. Any nudges?

In order to sudo you have to take advantage of the permissions given to the file. I would google for exploiting sudo via file permissions and read up on it. That’s how I was able to get it

This is really on the border of spoiler.

There I reported it as a spoiler myself.

I think it is good to keep it there.
I am new to HTB/pentest hence I am easily overthinking the method. It is a good comment to inspire me to review my process and learn how to get it done.

I will also say that it helps to really understand what you see in the enumeration. I looked at it multiple times and knew what I had to do but could not see the clear solution until stepping back and rethinking basic stuff. The trick for me was not to overthink it. Also, simple syntax errors cost me a couple of extra hours.

@w4r10ck2 said:
For whatever reasons I can’t get root. I know I have to use the xxxx.sh file but every time when I try to use it, it says that I need a tty shell. Well I tried that but this also doesn’t work for me either. When i try to get a better shell it either says “no job control running” or doesn’t do anything at all. Can somebody help me via PM?
If this is a spoiler I will delete it of course.

In order to interact and get root you need a TTY shell. Pretty simple to accomplish once you understand how to get out of a jailed cell. Google is your friend. If you’re using metasploit understanding how to use it to establish TTY will help greatly.

Hello there,

I begin HTB with this machine.

I have been looking for the default credential for almost a day. Used CeWL and tried all the password listed, tried all the basic passwords a lazy admin can use and still nothing.
I’ll be honest and admit I feel very very bad about not guessing this password. As it is not the most interesting part of this challenge, can someone hit me in private to assure me I have the right username (found on a file, so I guess yes), and the passwords I tried are not these one?

Thanks in advance fellows.

Found it. Thanks dear player who helped me via message.

Anyone able to DM a hint for the tty issue? Tried most standard ways to break. Shell is through meterpreter with known exploit for the web service and I know what I need to run (at least I think so).

lol a linux admin with over 8 years in the industry here trying to get into infosec. Embarrassing that I can’t figure out a default password. Can somebody help?

@npsoni use cewl. don’t think default, think bad practise

I’m really struggling with getting root… It’s a bit discouraging :anguished: I’ve been reading up on multiple articles involving methods to “abuse” the file in question but I just can’t seem to do it. Could someone perhaps shoot me a PM and help me out a little bit?

If somebody needs a some help without expecting for spoilers, feel free to DM me.

I’m a muppet. Got root.

logedIn. enumerated directories. but cant find user.txt. any Hint ?

@GhostCat said:

logedIn. enumerated directories. but cant find user.txt. any Hint ?

What can you find?

@c60cb859 said:

@GhostCat said:

logedIn. enumerated directories. but cant find user.txt. any Hint ?

What can you find?
all the directories keep changing but most recently i was able to find image.php.

@GhostCat said:

logedIn. enumerated directories. but cant find user.txt. any Hint ?

Did you get a shell?

@xdaem00n said:

@GhostCat said:

logedIn. enumerated directories. but cant find user.txt. any Hint ?

Did you get a shell?

image.php looked like shell but cannot execute any linux commands. Apart from that i found monitor.sh

Hello! I think I have a problem. When I thought I’m logged in the application, the web throws: “Nibbleblog security error - User not logged”. I’ve tried to change the params but nothings happens. Somebody could help me?

Spent half a day and so so frustrated with the admin panel. I saw the earlier messages and tried everything that I could think of! No matter what I try it won’t take it :anguished: Can someone please DM…I am just tired now!