NIbbles

Hint: Make sure to get a pty on any shells. Let me know if you have questions.

I swear sometimes the freaking easiest ones are the trickiest because you overlook the obvious… good box.

My quick Guide is the following:

  1. get user access <<===========================
    step 1: try web access
    step 2: look behind the… DOM :wink:
    step 3: Get the hint u find from step 2.
    step 4: Goto to this… hint :wink:
    step 5: check known vulns on this & metasploit is a great help here (search for this very Xploit)… u will and up with a clue, of what u need to find… more hints: well, a username : password !
    step 6: Well, the username is so… common (u can also find it inside some… paths… ). The pass need a little guessing. Hint: It is in front on your eyes if start reading the challenge from the… very beginning. :wink:
    step 7: Found them?.. Congratz! Now use them in msf on tha corresponding Xploit… just to get meterpreter, shell, etc…
    step 8: get the flah of user.txt n go for # baby!
  2. g0t r00t? <<===========================
    What you need here is just to run one simple command that is very common when u perform enumerations… and yeS yoU shoulD knOw it! one more parameter is need on it :wink:
    Then… follow your heart or make some lemonade (as a friend above suggested) .
    Hint: just put in this file what u need to know…

@darthgucci said:
nope, try using different payloads in metasploit. One works every time, the others are flaky. You just have to try them all

I’m stuck I keep getting a 404 and no shell.

I tried all of these payloads.:

generic/custom normal Custom Payload
generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline
generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline
php/bind_perl normal PHP Command Shell, Bind TCP (via Perl)
php/bind_perl_ipv6 normal PHP Command Shell, Bind TCP (via perl) IPv6
php/bind_php normal PHP Command Shell, Bind TCP (via PHP)
php/bind_php_ipv6 normal PHP Command Shell, Bind TCP (via php) IPv6
php/download_exec normal PHP Executable Download and Execute
php/exec normal PHP Execute Command
php/meterpreter/bind_tcp normal PHP Meterpreter, Bind TCP Stager
php/meterpreter/bind_tcp_ipv6 normal PHP Meterpreter, Bind TCP Stager IPv6
php/meterpreter/bind_tcp_ipv6_uuid normal PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
php/meterpreter/bind_tcp_uuid normal PHP Meterpreter, Bind TCP Stager with UUID Support
php/meterpreter/reverse_tcp normal PHP Meterpreter, PHP Reverse TCP Stager
php/meterpreter/reverse_tcp_uuid normal PHP Meterpreter, PHP Reverse TCP Stager
php/meterpreter_reverse_tcp normal PHP Meterpreter, Reverse TCP Inline
php/reverse_perl normal PHP Command, Double Reverse TCP Connection (via Perl)
php/reverse_php normal PHP Command Shell, Reverse TCP (via PHP)

What am I doing wrong? Is the right one in there I’m just blowing it?

I am also having difficult with the default creds can any one DM me with some help on this?

Spoiler Removed - Arrexel

@reubadoob said:
yep, the right one in there. keep finding :slight_smile:

I know there’s a username somewhere but Im to lazy to try and find

I’m still having problems getting the root flag. I’ve tried numerous commands, but I’m probably doing something wrong. It either times out or some other reason.

Do you know the username when you see it? I think I tried everything I found in the directories

are cronjobs relevant for priv esc in this machine?

@takuma said:

@reubadoob said:
yep, the right one in there. keep finding :slight_smile:

Thanks @takuma Got the exploit and payload together now just getting the following error:

[!] This exploit may require manual cleanup of ‘image.php’ on the target

Tried a reset. No change. Not getting a shell.

@reubadoob said:

@takuma said:

@reubadoob said:
yep, the right one in there. keep finding :slight_smile:

Thanks @takuma Got the exploit and payload together now just getting the following error:

[!] This exploit may require manual cleanup of ‘image.php’ on the target

Tried a reset. No change. Not getting a shell.

If you’re using metasploit, check your payload. :slight_smile:

@reubadoob said:

@takuma said:

@reubadoob said:
yep, the right one in there. keep finding :slight_smile:

Thanks @takuma Got the exploit and payload together now just getting the following error:

[!] This exploit may require manual cleanup of ‘image.php’ on the target

Tried a reset. No change. Not getting a shell.

Do some research. It is indicating to you something really important that is not settled :smiley:

@Vex20k said:
I’m still having problems getting the root flag. I’ve tried numerous commands, but I’m probably doing something wrong. It either times out or some other reason.

Like many have suggested, enumeration of the box is really really handy in this case. There is a magic sentence somewhere in there:D

hello all, i have been able to decode the password but still can login. # I am 100% sure of the password. any tips

Hi Guys,

Can you give me hints to login to this machine?

I’m trying to get the root, I ran the bash script but I’m having the following error:
/bin/bash monitor.sh -i nibbler
TERM environment variable not set.
su: must be run from a terminal
Installation failed

@delusionmoon said:
are cronjobs relevant for priv esc in this machine?

well… personally I r00ted w/o them…

Need some help with Priv Esc. Have located the file that does not need passwd for root, have gone through artcles on sudo abuse. every time I run the script I get promted for a password. Have gone through all the comments and still not able to figure out the execution method. Could someone nudge me a bit further? happy to PM if any one’s around