HTB-Nibbles

TelBo_on published on
2 min, 281 words

Categories: OSCP

Tags: Linux weak password

Recon

ports

sudo nmap -sT -sC -sV -p22,80 10.129.208.122
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 11:29 CST
Nmap scan report for 10.129.208.122
Host is up (0.12s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.34 seconds

F12发现隐藏目录:Nibbleblog,是一个开源cms程序,已停止维护。存在admin.php登录界面。没有验证码要求,可以进行暴力破解。

[13:50:46] 200 -  606B  - /nibbleblog/admin.php                             
[13:50:46] 200 -  521B  - /nibbleblog/admin/                                
[13:50:48] 301 -  338B  - /nibbleblog/admin/js/tinymce  ->  http://10.129.208.122/nibbleblog/admin/js/tinymce/
[13:50:48] 200 -  568B  - /nibbleblog/admin/js/tinymce/
[13:51:03] 301 -  329B  - /nibbleblog/content  ->  http://10.129.208.122/nibbleblog/content/
[13:51:03] 200 -  490B  - /nibbleblog/content/                              
[13:51:03] 200 -  724B  - /nibbleblog/COPYRIGHT.txt                         
[13:51:12] 200 -   92B  - /nibbleblog/install.php                           
[13:51:12] 200 -   92B  - /nibbleblog/install.php?profile=default           
[13:51:13] 301 -  331B  - /nibbleblog/languages  ->  http://10.129.208.122/nibbleblog/languages/
[13:51:14] 200 -   12KB - /nibbleblog/LICENSE.txt                           
[13:51:25] 301 -  329B  - /nibbleblog/plugins  ->  http://10.129.208.122/nibbleblog/plugins/
[13:51:25] 200 -  698B  - /nibbleblog/plugins/                              
[13:51:27] 200 -    5KB - /nibbleblog/README                                
[13:51:36] 301 -  328B  - /nibbleblog/themes  ->  http://10.129.208.122/nibbleblog/themes/
[13:51:36] 200 -  502B  - /nibbleblog/themes/                               
[13:51:37] 200 -  815B  - /nibbleblog/update.php

在目录扫描中发现存在用户admin。http://10.129.208.122/nibbleblog/content/private/users.xml

<users>
<user username="admin">
<id type="integer">0</id>
<session_fail_count type="integer">0</session_fail_count>
<session_date type="integer">1514544131</session_date>
</user>
<blacklist type="string" ip="10.10.10.1">
<date type="integer">1512964659</date>
<fail_count type="integer">1</fail_count>
</blacklist>
<blacklist type="string" ip="10.10.14.53">
</blacklist>
</users>

无其他信息,且此cms无历史bypass authorization的cve漏洞。尝试猜测密码。 先尝试弱口令登录,试了一些,没能成功。反而存在黑名单,锁ip了几分钟。继续尝试暴力破解意义不大,大概还是弱口令。试了若干次:admin:nibbles |(fxxx) 进入后在setting界面下发现了版本号:Nibbleblog 4.0.3 "Coffee" - Developed by Diego Najar 搜索历史漏洞发现:CVE 2015-6967

User and Root

得到反弹shell后,发现当前用户为nibbler,

grep home /etc/passwd
syslog:x:104:108::/home/syslog:/bin/false
nibbler:x:1001:1001::/home/nibbler:

存在家目录,得到了user.txt sudo -l 发现:

sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

解压personal.zip后可执行这个脚本文件,且此文件属主为nibbler,修改即可得到root。

Summary

总体来说很简单,主要还是思路:针对不同的场景,需要我们理清思路。下一步应该干什么。