练习,OSCP like
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| $ curl http://nibbles.htb
<b>Hello world!</b>
<!-- /nibbleblog/ directory. Nothing interesting here! -->
|
这个版本存在一个上传漏洞。
https://packetstormsecurity.com/files/133425/NibbleBlog-4.0.3-Shell-Upload.html
存在目录遍历漏洞。
1
2
3
| curl http://nibbles.htb/nibbleblog/content/private/users.xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<users><user username="admin"><id type="integer">0</id><session_fail_count type="integer">2</session_fail_count><session_date type="integer">1618047308</session_date></user><blacklist type="string" ip="10.10.10.1"><date type="integer">1512964659</date><fail_count type="integer">1</fail_count></blacklist><blacklist type="string" ip="10.10.16.69"><date type="integer">1618047122</date><fail_count type="integer">2</fail_count></blacklist></users>
|
弱密码登陆后台成功。
admin:nibbles
- 访问http://nibbles.htb/nibbleblog/admin.php?controller=plugins&action=install&plugin=my_image上传phpshell。
- 监听。
- 接着访问http://nibbles.htb/nibbleblog/content/private/plugins/my_image/image.php
直接在脚本第一行添加bash。sudo执行。