0%

HackTheBox-Nibbles

练习,OSCP like

20210410-17:25:15-_rOCoqP_LaN8iG

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ curl http://nibbles.htb
<b>Hello world!</b>














<!-- /nibbleblog/ directory. Nothing interesting here! -->

20210410-17:24:15-_1dzKqJ_muPmex

这个版本存在一个上传漏洞。

https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html

存在目录遍历漏洞。
20210410-17:25:46-_ZEICUl_uOxEgd

1
2
3
curl http://nibbles.htb/nibbleblog/content/private/users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users><user username="admin"><id type="integer">0</id><session_fail_count type="integer">2</session_fail_count><session_date type="integer">1618047308</session_date></user><blacklist type="string" ip="10.10.10.1"><date type="integer">1512964659</date><fail_count type="integer">1</fail_count></blacklist><blacklist type="string" ip="10.10.16.69"><date type="integer">1618047122</date><fail_count type="integer">2</fail_count></blacklist></users>

弱密码登陆后台成功。

admin:nibbles

20210410-17:39:25-_Sa5qWZ_pgnTwY

  1. 访问http://nibbles.htb/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image上传phpshell。
  2. 监听。
  3. 接着访问http://nibbles.htb/nibbleblog/content/private/plugins/my_image/image.php

20210410-17:55:51-_EfrKWO_cqf7DK

20210410-17:45:10-_QjCReC_R5Y7Yx

20210410-17:49:45-_fYCN5v_rrBUZw

20210410-17:49:59-_2yiWpD_BAllqU

20210410-17:51:11-_9ZfCI2_sXo1Gt
直接在脚本第一行添加bash。sudo执行。