Getting Started - Nibbles Initial Foothold (unable to upload payload)

Rintin · October 17, 2022, 6:04pm

Hello,

So I’m stuck at the process of uploading the payload.php file through the admin dashboard plugin my_image which after adding the payload and clicking save changes, makes the browser stall on browser is processing animation.

The url = http://10.129.88.102/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image

Any suggestions on what’s going on?
Thanks.

Edit: It seems that the issue is somehow related to my vm and it’s connection to htb, even though everything except the run exploit works.

I did get the user flag from pwnbox. However the exploit seems to drop each time I run it through the different methods(msfconsole, dashboard upload) including different payloads.

Here’s the tcpdump -i tun0 that I took when I ran the msfconsole exploit.

20:12:55.946390 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [S], seq 2364633919, win 64240, options [mss 1460,sackOK,TS val 1310685146 ecr 0,nop,wscale 7], length 0
20:12:55.965654 IP 10.129.72.225.http > 10.10.14.125.40575: Flags [S.], seq 1887213279, ack 2364633920, win 28960, options [mss 1337,sackOK,TS val 4294932633 ecr 1310685146,nop,wscale 7], length 0
20:12:55.965684 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685166 ecr 4294932633], length 0
20:12:55.965944 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [P.], seq 1:188, ack 1, win 502, options [nop,nop,TS val 1310685166 ecr 4294932633], length 187: HTTP: GET /nibbleblog/admin.php HTTP/1.1
20:12:55.983317 IP 10.129.72.225.http > 10.10.14.125.40575: Flags [.], ack 188, win 235, options [nop,nop,TS val 4294932638 ecr 1310685166], length 0
20:12:55.994227 IP 10.129.72.225.http > 10.10.14.125.40575: Flags [P.], seq 1326:1770, ack 188, win 235, options [nop,nop,TS val 4294932640 ecr 1310685166], length 444: HTTP
20:12:55.994243 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685194 ecr 4294932638,nop,nop,sack 1 {1326:1770}], length 0
20:12:55.995263 IP 10.129.72.225.http > 10.10.14.125.40575: Flags [.], seq 1:1326, ack 188, win 235, options [nop,nop,TS val 4294932640 ecr 1310685166], length 1325: HTTP: HTTP/1.1 200 OK
20:12:55.995275 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [.], ack 1770, win 498, options [nop,nop,TS val 1310685195 ecr 4294932640], length 0
20:12:55.996057 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [F.], seq 188, ack 1770, win 501, options [nop,nop,TS val 1310685196 ecr 4294932640], length 0
20:12:55.997595 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [S], seq 1201068923, win 64240, options [mss 1460,sackOK,TS val 1310685198 ecr 0,nop,wscale 7], length 0
20:12:56.012279 IP 10.129.72.225.http > 10.10.14.125.40575: Flags [F.], seq 1770, ack 189, win 235, options [nop,nop,TS val 4294932645 ecr 1310685196], length 0
20:12:56.012291 IP 10.10.14.125.40575 > 10.129.72.225.http: Flags [.], ack 1771, win 501, options [nop,nop,TS val 1310685212 ecr 4294932645], length 0
20:12:56.014360 IP 10.129.72.225.http > 10.10.14.125.40819: Flags [S.], seq 2103006393, ack 1201068924, win 28960, options [mss 1337,sackOK,TS val 4294932645 ecr 1310685198,nop,wscale 7], length 0
20:12:56.014384 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685214 ecr 4294932645], length 0
20:12:56.014728 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [P.], seq 1:336, ack 1, win 502, options [nop,nop,TS val 1310685215 ecr 4294932645], length 335: HTTP: POST /nibbleblog/admin.php HTTP/1.1
20:12:56.031419 IP 10.129.72.225.http > 10.10.14.125.40819: Flags [.], ack 336, win 235, options [nop,nop,TS val 4294932650 ecr 1310685215], length 0
20:12:56.039520 IP 10.129.72.225.http > 10.10.14.125.40819: Flags [P.], seq 1:354, ack 336, win 235, options [nop,nop,TS val 4294932652 ecr 1310685215], length 353: HTTP: HTTP/1.1 302 Found
20:12:56.039540 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [.], ack 354, win 501, options [nop,nop,TS val 1310685239 ecr 4294932652], length 0
20:12:56.040640 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [F.], seq 336, ack 354, win 501, options [nop,nop,TS val 1310685241 ecr 4294932652], length 0
20:12:56.044706 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [S], seq 1596262306, win 64240, options [mss 1460,sackOK,TS val 1310685245 ecr 0,nop,wscale 7], length 0
20:12:56.058244 IP 10.129.72.225.http > 10.10.14.125.40819: Flags [F.], seq 354, ack 337, win 235, options [nop,nop,TS val 4294932656 ecr 1310685241], length 0
20:12:56.058302 IP 10.10.14.125.40819 > 10.129.72.225.http: Flags [.], ack 355, win 501, options [nop,nop,TS val 1310685258 ecr 4294932656], length 0
20:12:56.063411 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [S.], seq 367224688, ack 1596262307, win 28960, options [mss 1337,sackOK,TS val 4294932657 ecr 1310685245,nop,wscale 7], length 0
20:12:56.063543 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685263 ecr 4294932657], length 0
20:12:56.064707 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [P.], seq 1:270, ack 1, win 502, options [nop,nop,TS val 1310685265 ecr 4294932657], length 269: HTTP: GET /nibbleblog/admin.php?controller=settings&action=general HTTP/1.1
20:12:56.083139 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], ack 270, win 235, options [nop,nop,TS val 4294932662 ecr 1310685265], length 0
20:12:56.090064 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [P.], seq 7951:8550, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 599: HTTP
20:12:56.090128 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685290 ecr 4294932662,nop,nop,sack 1 {7951:8550}], length 0
20:12:56.090453 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [P.], seq 8550:9066, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 516: HTTP
20:12:56.090484 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685290 ecr 4294932662,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.090724 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 1:1326, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP: HTTP/1.1 200 OK
20:12:56.090764 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 1326, win 494, options [nop,nop,TS val 1310685291 ecr 4294932664,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.091029 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 1326:2651, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP
20:12:56.091071 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 2651, win 485, options [nop,nop,TS val 1310685291 ecr 4294932664,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.091438 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 2651:3976, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP
20:12:56.091550 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 3976, win 485, options [nop,nop,TS val 1310685291 ecr 4294932664,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.091705 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 3976:5301, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP
20:12:56.091729 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 5301, win 485, options [nop,nop,TS val 1310685292 ecr 4294932664,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.092087 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 5301:6626, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP
20:12:56.092116 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 6626, win 476, options [nop,nop,TS val 1310685292 ecr 4294932664,nop,nop,sack 1 {7951:9066}], length 0
20:12:56.092394 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 6626:7951, ack 270, win 235, options [nop,nop,TS val 4294932664 ecr 1310685265], length 1325: HTTP
20:12:56.092424 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 9066, win 467, options [nop,nop,TS val 1310685292 ecr 4294932664], length 0
20:12:56.094357 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [F.], seq 270, ack 9066, win 501, options [nop,nop,TS val 1310685294 ecr 4294932664], length 0
20:12:56.102169 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [S], seq 3068682831, win 64240, options [mss 1460,sackOK,TS val 1310685302 ecr 0,nop,wscale 7], length 0
20:12:56.112534 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 1:1326, ack 270, win 235, options [nop,nop,TS val 4294932669 ecr 1310685290], length 1325: HTTP: HTTP/1.1 200 OK
20:12:56.112560 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 9066, win 501, options [nop,nop,TS val 1310685313 ecr 4294932664,nop,nop,sack 1 {1:1326}], length 0
20:12:56.112718 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [.], seq 1326:2651, ack 270, win 235, options [nop,nop,TS val 4294932669 ecr 1310685290], length 1325: HTTP
20:12:56.112734 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 9066, win 501, options [nop,nop,TS val 1310685313 ecr 4294932664,nop,nop,sack 1 {1326:2651}], length 0
20:12:56.112856 IP 10.129.72.225.http > 10.10.14.125.38855: Flags [F.], seq 9066, ack 271, win 235, options [nop,nop,TS val 4294932670 ecr 1310685294], length 0
20:12:56.112880 IP 10.10.14.125.38855 > 10.129.72.225.http: Flags [.], ack 9067, win 501, options [nop,nop,TS val 1310685313 ecr 4294932670], length 0
20:12:56.119883 IP 10.129.72.225.http > 10.10.14.125.43297: Flags [S.], seq 1855269323, ack 3068682832, win 28960, options [mss 1337,sackOK,TS val 4294932672 ecr 1310685302,nop,wscale 7], length 0
20:12:56.119946 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685320 ecr 4294932672], length 0
20:12:56.120464 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [P.], seq 1:188, ack 1, win 502, options [nop,nop,TS val 1310685320 ecr 4294932672], length 187: HTTP: GET /nibbleblog/admin.php HTTP/1.1
20:12:56.137860 IP 10.129.72.225.http > 10.10.14.125.43297: Flags [.], ack 188, win 235, options [nop,nop,TS val 4294932676 ecr 1310685320], length 0
20:12:56.143445 IP 10.129.72.225.http > 10.10.14.125.43297: Flags [P.], seq 1326:1770, ack 188, win 235, options [nop,nop,TS val 4294932677 ecr 1310685320], length 444: HTTP
20:12:56.143474 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685343 ecr 4294932676,nop,nop,sack 1 {1326:1770}], length 0
20:12:56.145193 IP 10.129.72.225.http > 10.10.14.125.43297: Flags [.], seq 1:1326, ack 188, win 235, options [nop,nop,TS val 4294932677 ecr 1310685320], length 1325: HTTP: HTTP/1.1 200 OK
20:12:56.145237 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [.], ack 1770, win 498, options [nop,nop,TS val 1310685345 ecr 4294932677], length 0
20:12:56.146995 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [F.], seq 188, ack 1770, win 501, options [nop,nop,TS val 1310685347 ecr 4294932677], length 0
20:12:56.152051 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [S], seq 132981291, win 64240, options [mss 1460,sackOK,TS val 1310685352 ecr 0,nop,wscale 7], length 0
20:12:56.164461 IP 10.129.72.225.http > 10.10.14.125.43297: Flags [F.], seq 1770, ack 189, win 235, options [nop,nop,TS val 4294932683 ecr 1310685347], length 0
20:12:56.164503 IP 10.10.14.125.43297 > 10.129.72.225.http: Flags [.], ack 1771, win 501, options [nop,nop,TS val 1310685364 ecr 4294932683], length 0
20:12:56.169911 IP 10.129.72.225.http > 10.10.14.125.36703: Flags [S.], seq 3372747835, ack 132981292, win 28960, options [mss 1337,sackOK,TS val 4294932684 ecr 1310685352,nop,wscale 7], length 0
20:12:56.169970 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685370 ecr 4294932684], length 0
20:12:56.170662 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [P.], seq 1:336, ack 1, win 502, options [nop,nop,TS val 1310685371 ecr 4294932684], length 335: HTTP: POST /nibbleblog/admin.php HTTP/1.1
20:12:56.187347 IP 10.129.72.225.http > 10.10.14.125.36703: Flags [.], ack 336, win 235, options [nop,nop,TS val 4294932689 ecr 1310685371], length 0
20:12:56.193410 IP 10.129.72.225.http > 10.10.14.125.36703: Flags [P.], seq 1:354, ack 336, win 235, options [nop,nop,TS val 4294932690 ecr 1310685371], length 353: HTTP: HTTP/1.1 302 Found
20:12:56.193436 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [.], ack 354, win 501, options [nop,nop,TS val 1310685393 ecr 4294932690], length 0
20:12:56.194712 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [F.], seq 336, ack 354, win 501, options [nop,nop,TS val 1310685395 ecr 4294932690], length 0
20:12:56.199285 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [S], seq 690246373, win 64240, options [mss 1460,sackOK,TS val 1310685399 ecr 0,nop,wscale 7], length 0
20:12:56.211752 IP 10.129.72.225.http > 10.10.14.125.36703: Flags [F.], seq 354, ack 337, win 235, options [nop,nop,TS val 4294932695 ecr 1310685395], length 0
20:12:56.211804 IP 10.10.14.125.36703 > 10.129.72.225.http: Flags [.], ack 355, win 501, options [nop,nop,TS val 1310685412 ecr 4294932695], length 0
20:12:56.216590 IP 10.129.72.225.http > 10.10.14.125.36487: Flags [S.], seq 2442547526, ack 690246374, win 28960, options [mss 1337,sackOK,TS val 4294932696 ecr 1310685399,nop,wscale 7], length 0
20:12:56.216655 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310685417 ecr 4294932696], length 0
20:12:56.217548 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310685417 ecr 4294932696], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:12:56.217580 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [P.], seq 1326:2651, ack 1, win 502, options [nop,nop,TS val 1310685417 ecr 4294932696], length 1325: HTTP
20:12:56.217596 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [P.], seq 2651:2706, ack 1, win 502, options [nop,nop,TS val 1310685417 ecr 4294932696], length 55: HTTP
20:12:56.235892 IP 10.129.72.225.http > 10.10.14.125.36487: Flags [.], ack 1, win 235, options [nop,nop,TS val 4294932701 ecr 1310685417,nop,nop,sack 1 {2651:2706}], length 0
20:12:56.256708 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310685457 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:12:56.489484 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310685689 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:12:56.941991 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310686142 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:12:57.849526 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310687049 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:12:59.795193 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310688995 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:03.422120 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310692622 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:10.678628 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310699879 ecr 4294932701], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:16.233037 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [F.], seq 2706, ack 1, win 502, options [nop,nop,TS val 1310705433 ecr 4294932701], length 0
20:13:16.250036 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [S], seq 3292326861, win 64240, options [mss 1460,sackOK,TS val 1310705450 ecr 0,nop,wscale 7], length 0
20:13:16.252864 IP 10.129.72.225.http > 10.10.14.125.36487: Flags [.], ack 1, win 235, options [nop,nop,TS val 4294937705 ecr 1310685417,nop,nop,sack 1 {2651:2707}], length 0
20:13:16.252909 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310705453 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:16.267535 IP 10.129.72.225.http > 10.10.14.125.38439: Flags [S.], seq 1116247752, ack 3292326862, win 28960, options [mss 1337,sackOK,TS val 4294937709 ecr 1310705450,nop,wscale 7], length 0
20:13:16.267697 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [.], ack 1, win 502, options [nop,nop,TS val 1310705468 ecr 4294937709], length 0
20:13:16.268991 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [P.], seq 1:221, ack 1, win 502, options [nop,nop,TS val 1310705469 ecr 4294937709], length 220: HTTP: GET /nibbleblog/content/private/plugins/my_image/image.php HTTP/1.1
20:13:16.286787 IP 10.129.72.225.http > 10.10.14.125.38439: Flags [.], ack 221, win 235, options [nop,nop,TS val 4294937713 ecr 1310705469], length 0
20:13:16.287557 IP 10.129.72.225.http > 10.10.14.125.38439: Flags [P.], seq 1:492, ack 221, win 235, options [nop,nop,TS val 4294937714 ecr 1310705469], length 491: HTTP: HTTP/1.1 404 Not Found
20:13:16.287581 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [.], ack 492, win 501, options [nop,nop,TS val 1310705488 ecr 4294937714], length 0
20:13:16.290518 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [F.], seq 221, ack 492, win 501, options [nop,nop,TS val 1310705490 ecr 4294937714], length 0
20:13:16.307739 IP 10.129.72.225.http > 10.10.14.125.38439: Flags [F.], seq 492, ack 222, win 235, options [nop,nop,TS val 4294937719 ecr 1310705490], length 0
20:13:16.307765 IP 10.10.14.125.38439 > 10.129.72.225.http: Flags [.], ack 493, win 501, options [nop,nop,TS val 1310705508 ecr 4294937719], length 0
20:13:16.488584 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310705688 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:16.862112 IP 10.10.14.125.32971 > 10.129.72.225.http: Flags [.], seq 3264421302:3264422627, ack 3769365669, win 502, options [nop,nop,TS val 1310706062 ecr 4294923158], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:16.943146 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310706143 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:17.851930 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310707052 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:19.638479 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310708838 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:23.262324 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310712462 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:30.516717 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310719717 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:13:45.878935 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310735078 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:14:14.888871 IP 10.10.14.125.36487 > 10.129.72.225.http: Flags [.], seq 1:1326, ack 1, win 502, options [nop,nop,TS val 1310764088 ecr 4294937705], length 1325: HTTP: POST /nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image HTTP/1.1
20:14:18.303436 IP6 fe80::5cf5:487d:d7df:b7a7 > ip6-allrouters: ICMP6, router solicitation, length 8
20:14:38.477187 IP 10.10.14.125.33847 > 10.129.72.225.33434: UDP, length 32
20:14:38.477353 IP 10.10.14.125.46312 > 10.129.72.225.33435: UDP, length 32
20:14:38.477518 IP 10.10.14.125.51602 > 10.129.72.225.33436: UDP, length 32
20:14:38.477759 IP 10.10.14.125.56917 > 10.129.72.225.33437: UDP, length 32
20:14:38.477985 IP 10.10.14.125.38425 > 10.129.72.225.33438: UDP, length 32
20:14:38.478223 IP 10.10.14.125.52661 > 10.129.72.225.33439: UDP, length 32
20:14:38.478525 IP 10.10.14.125.40157 > 10.129.72.225.33440: UDP, length 32
20:14:38.478769 IP 10.10.14.125.37906 > 10.129.72.225.33441: UDP, length 32
20:14:38.479032 IP 10.10.14.125.33073 > 10.129.72.225.33442: UDP, length 32
20:14:38.479248 IP 10.10.14.125.54970 > 10.129.72.225.33443: UDP, length 32
20:14:38.479412 IP 10.10.14.125.44198 > 10.129.72.225.33444: UDP, length 32
20:14:38.479589 IP 10.10.14.125.36413 > 10.129.72.225.33445: UDP, length 32
20:14:38.479785 IP 10.10.14.125.47264 > 10.129.72.225.33446: UDP, length 32
20:14:38.480028 IP 10.10.14.125.55351 > 10.129.72.225.33447: UDP, length 32
20:14:38.480234 IP 10.10.14.125.39343 > 10.129.72.225.33448: UDP, length 32
20:14:38.480393 IP 10.10.14.125.57986 > 10.129.72.225.33449: UDP, length 32
20:14:38.495033 IP 10.10.14.1 > 10.10.14.125: ICMP time exceeded in-transit, length 68
20:14:38.495237 IP 10.10.14.1 > 10.10.14.125: ICMP time exceeded in-transit, length 68
20:14:38.495366 IP 10.10.14.1 > 10.10.14.125: ICMP time exceeded in-transit, length 68
20:14:38.495439 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33437 unreachable, length 68
20:14:38.495514 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33438 unreachable, length 68
20:14:38.495618 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33439 unreachable, length 68
20:14:38.495680 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33440 unreachable, length 68
20:14:38.495880 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33441 unreachable, length 68
20:14:38.496093 IP 10.129.72.225 > 10.10.14.125: ICMP 10.129.72.225 udp port 33442 unreachable, length 68
20:14:38.503594 IP 10.10.14.125.33561 > 10.129.72.225.33450: UDP, length 32

Msfconsole settings:

 Name            ||Current Setting ||  Required || Description
------------------------------------------------------------------------------------------------------------------------------------------------
  PASSWORD       || *******        ||   yes     ||  The password to authenticate with
  Proxies        ||                ||   no      ||  A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS         || 10.129.77.109  ||   yes     ||  The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
  RPORT          || 80             ||   yes     ||  The target port (TCP)
  SSL            || false          ||   no      ||  Negotiate SSL/TLS for outgoing connections
  TARGETURI      || /**********/   ||   yes     ||  The base path to the web application
  USERNAME       || *****          ||   yes     ||  The username to authenticate with
  LHOST          || tun0           ||   yes     ||  Attackers ip
  LPORT          || 4444           ||   yes     ||  Listening port
  VHOST          ||                ||   no      ||  HTTP server virtual host

USERNAME = admin

PASSWORD = nibbles

TARGETURI = /nibbleblog/

Msfconsole output:

msf](Jobs:0 Agents:0) exploit(multi/http/nibbleblog_file_upload) >> run
[] Started reverse TCP handler on 10.10.14.125:4444
[!] This exploit may require manual cleanup of ‘image.php’ on the target
[] Exploit completed, but no session was created.
[msf](Jobs:0 Agents:0) exploit(multi/http/nibbleblog_file_upload)

zuck · October 21, 2022, 4:30am

Have you found out the issue ? Im having the same problem. Ive been stuck on it for an hour. I cant even upload a shell.php manually file to the image upload plugin. Ive tried resetting the box and my vpn connection.

Rintin · October 21, 2022, 6:28am

Hey yea I did find a fix, but not really sure what the issue was. I changed my HTB Academy Openvpn to Tcp from Udp, and that ended up fixing it. It’s really odd because everything else seems to work just fine, until the shell.php POST.

zuck · October 21, 2022, 6:36am

Lol I found the fix. I uninstalled the image function and reinstalled it. Then uploaded the file filling out both title and description. Just got the machine a few minutes ago. Thanks for responding so quickly.

Rintin · October 21, 2022, 6:03pm

No worries, I tried that too but for some reason it didn’t work for me.

j0k3rrr · August 2, 2023, 10:33pm

I had similar problems initially, have a look and see if there are other files anywhere mentioned in the lesson and name your payload the same as them.